Skip to content

Commit

Permalink
FN: Update attachment_microsoft_image_lure_qr_code.yml (#823)
Browse files Browse the repository at this point in the history 
Co-authored-by: Ross Wolf <[email protected]>
  • Loading branch information
@morriscode @rw-access
morriscode and rw-access authored Sep 26, 2023
1 parent b6f9ef6 commit 9ed2b69
Showing 1 changed file with 28 additions and 6 deletions.
34 changes: 28 additions & 6 deletions detection-rules/attachment_microsoft_image_lure_qr_code.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,12 +19,33 @@ source: |
regex.icontains(.scan.ocr.raw, 'scan|camera')
and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
)
)
or (
any(file.explode(.),
.scan.qr.type == "url"
// recipient email address is present in the URL, a common tactic used in credential phishing attacks
and any(recipients.to, strings.icontains(..scan.qr.data, .email.email))
or (
any(file.explode(.),
.scan.qr.type == "url"
// recipient email address is present in the URL, a common tactic used in credential phishing attacks
and any(recipients.to,
strings.icontains(..scan.qr.data, .email.email)
// the recipients sld is in the senders display name
or any(recipients.to,
strings.icontains(sender.display_name, .email.domain.sld)
)
// the recipient local is in the body
or any(recipients.to,
strings.icontains(body.current_thread.text, .email.local_part)
)
// or the body is null
or body.current_thread.text is null
or body.current_thread.text == ""
// or the subject contains authentication/urgency verbiage
or regex.contains(subject.subject,
"(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)"
)
)
)
)
)
)
Expand All @@ -46,6 +67,7 @@ source: |
and sender.email.domain.domain not in $recipient_domains
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
Expand Down

0 comments on commit 9ed2b69

Please sign in to comment.