From 8369b78f608d6f23f281372edb1552c980dc6b14 Mon Sep 17 00:00:00 2001
From: Aiden Mitchell <me@aidenmitchell.ca>
Date: Wed, 4 Oct 2023 10:46:56 -0700
Subject: [PATCH] Updating rule: attachment_microsoft_image_lure_qr_code.yml
 (#812)

Co-authored-by: Sam Scholten <sam@sublimesecurity.com>
---
 .../attachment_microsoft_image_lure_qr_code.yml        | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/detection-rules/attachment_microsoft_image_lure_qr_code.yml b/detection-rules/attachment_microsoft_image_lure_qr_code.yml
index 7b024a35f89..8ad0f0d1947 100644
--- a/detection-rules/attachment_microsoft_image_lure_qr_code.yml
+++ b/detection-rules/attachment_microsoft_image_lure_qr_code.yml
@@ -7,13 +7,18 @@ source: |
   type.inbound
   and (
     any(attachments,
-        .file_type in $file_types_images
+        (.file_type in $file_types_images or .file_type == "pdf")
         and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
     )
     or any(ml.logo_detect(beta.message_screenshot()).brands, strings.starts_with(.name, "Microsoft"))
+    or (any(attachments, .file_type in~ $file_extensions_macros))
   )
   and any(attachments,
-          .file_type in $file_types_images
+          (
+            .file_type in $file_types_images
+            or .file_type == "pdf"
+            or .file_type in $file_extensions_macros
+          )
           and (
             any(file.explode(.),
                 regex.icontains(.scan.ocr.raw, 'scan|camera')
@@ -72,6 +77,7 @@ attack_types:
   - "Credential Phishing"
 tactics_and_techniques:
   - "Impersonation: Brand"
+  - "PDF"
   - "QR code"
   - "Social engineering"
 detection_methods: