diff --git a/detection-rules/attachment_microsoft_image_lure_qr_code.yml b/detection-rules/attachment_microsoft_image_lure_qr_code.yml index 893ce305af0..e9af7b45b62 100644 --- a/detection-rules/attachment_microsoft_image_lure_qr_code.yml +++ b/detection-rules/attachment_microsoft_image_lure_qr_code.yml @@ -19,12 +19,35 @@ source: | regex.icontains(.scan.ocr.raw, 'scan|camera') and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode') ) - ) - or ( - any(file.explode(.), - .scan.qr.type == "url" - // recipient email address is present in the URL, a common tactic used in credential phishing attacks - and any(recipients.to, strings.icontains(..scan.qr.data, .email.email)) + or ( + any(file.explode(.), + .scan.qr.type == "url" + // recipient email address is present in the URL, a common tactic used in credential phishing attacks + and any(recipients.to, + strings.icontains(..scan.qr.data, .email.email) + or ( + + // the recipients sld is in the senders display name + any(recipients.to, + strings.icontains(sender.display_name, .email.domain.sld) + ) + + // the recipient local is in the body + or any(recipients.to, + strings.icontains(body.current_thread.text, .email.local_part) + ) + + // or the body is null + or length(body.current_thread.text) is null + or body.current_thread.text == "" + + // or the subject contains authentication/urgency verbiage + or regex.contains(subject.subject, + "(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)" + ) + ) + ) + ) ) ) )