diff --git a/detection-rules/attachment_microsoft_image_lure_qr_code.yml b/detection-rules/attachment_microsoft_image_lure_qr_code.yml index 893ce305af0..7b024a35f89 100644 --- a/detection-rules/attachment_microsoft_image_lure_qr_code.yml +++ b/detection-rules/attachment_microsoft_image_lure_qr_code.yml @@ -19,12 +19,33 @@ source: | regex.icontains(.scan.ocr.raw, 'scan|camera') and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode') ) - ) - or ( - any(file.explode(.), - .scan.qr.type == "url" - // recipient email address is present in the URL, a common tactic used in credential phishing attacks - and any(recipients.to, strings.icontains(..scan.qr.data, .email.email)) + or ( + any(file.explode(.), + .scan.qr.type == "url" + // recipient email address is present in the URL, a common tactic used in credential phishing attacks + and any(recipients.to, + strings.icontains(..scan.qr.data, .email.email) + + // the recipients sld is in the senders display name + or any(recipients.to, + strings.icontains(sender.display_name, .email.domain.sld) + ) + + // the recipient local is in the body + or any(recipients.to, + strings.icontains(body.current_thread.text, .email.local_part) + ) + + // or the body is null + or body.current_thread.text is null + or body.current_thread.text == "" + + // or the subject contains authentication/urgency verbiage + or regex.contains(subject.subject, + "(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)" + ) + ) + ) ) ) ) @@ -46,6 +67,7 @@ source: | and sender.email.domain.domain not in $recipient_domains ) ) + attack_types: - "Credential Phishing" tactics_and_techniques: