From 9ed2b695a818634f6803595688a337277ff00e82 Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Tue, 26 Sep 2023 13:35:54 -0400
Subject: [PATCH] FN: Update attachment_microsoft_image_lure_qr_code.yml (#823)

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
---
 ...ttachment_microsoft_image_lure_qr_code.yml | 34 +++++++++++++++----
 1 file changed, 28 insertions(+), 6 deletions(-)

diff --git a/detection-rules/attachment_microsoft_image_lure_qr_code.yml b/detection-rules/attachment_microsoft_image_lure_qr_code.yml
index 893ce305af0..7b024a35f89 100644
--- a/detection-rules/attachment_microsoft_image_lure_qr_code.yml
+++ b/detection-rules/attachment_microsoft_image_lure_qr_code.yml
@@ -19,12 +19,33 @@ source: |
                 regex.icontains(.scan.ocr.raw, 'scan|camera')
                 and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
             )
-          )
-          or (
-            any(file.explode(.),
-                .scan.qr.type == "url"
-                // recipient email address is present in the URL, a common tactic used in credential phishing attacks 
-                and any(recipients.to, strings.icontains(..scan.qr.data, .email.email))
+            or (
+              any(file.explode(.),
+                  .scan.qr.type == "url"
+                  // recipient email address is present in the URL, a common tactic used in credential phishing attacks 
+                  and any(recipients.to,
+                          strings.icontains(..scan.qr.data, .email.email)
+                          
+                           // the recipients sld is in the senders display name
+                          or any(recipients.to,
+                              strings.icontains(sender.display_name, .email.domain.sld)
+                          )
+  
+                          // the recipient local is in the body  
+                          or any(recipients.to,
+                                 strings.icontains(body.current_thread.text, .email.local_part)
+                          )
+  
+                          // or the body is null 
+                          or body.current_thread.text is null
+                          or body.current_thread.text == ""
+  
+                          // or the subject contains authentication/urgency verbiage
+                          or regex.contains(subject.subject,
+                                            "(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)"
+                          )
+                  )
+              )
             )
           )
   )
@@ -46,6 +67,7 @@ source: |
       and sender.email.domain.domain not in $recipient_domains
     )
   )
+
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques: