Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New Rule: QR Code with suspicious indicators #817

Merged
merged 8 commits into from
Oct 5, 2023
56 changes: 56 additions & 0 deletions detection-rules/qr_code_suspicious_indicators.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
name: "QR Code with suspicious indicators"
description: |
This rule flags messages with QR codes in attachments when there are three or fewer attachments. If no attachments are present, the rule captures a screenshot of the message for analysis. Additional triggers include: sender's name containing the recipient's SLD, recipient's email mentioned in the body, an empty message body, a suspicious subject, or undisclosed recipients.
type: "rule"
severity: "high"
source: |
type.inbound
and (
length(attachments) <= 3
and (
any(attachments,
.file_type in $file_types_images and (any(file.explode(.), .scan.qr.type == "url"))
)
or (
length(attachments) == 0
and any(file.explode(beta.message_screenshot()), .scan.qr.type == "url")
)
)
and not sender.email.domain.root_domain in $org_display_names
and (
any(recipients.to, strings.icontains(sender.display_name, .email.domain.sld))
or any(recipients.to, strings.icontains(body.current_thread.text, .email.local_part))
or length(body.current_thread.text) is null
or body.current_thread.text == ""
or regex.contains(subject.subject,
"(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)"
)
or (any(recipients.to, strings.icontains(subject.subject, .display_name)))
or (
(length(recipients.to) == 0 or all(recipients.to, .display_name == "Undisclosed recipients"))
and length(recipients.cc) == 0
and length(recipients.bcc) == 0
)
)
)

// sender profile is new or outlier
and (
profile.by_sender().prevalence in ("new", "outlier")
or (profile.by_sender().any_malicious_messages and not profile.by_sender().any_false_positives)
)

attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "QR code"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Computer Vision"
- "Natural Language Understanding"
- "QR code analysis"
- "Sender analysis"
- "URL analysis"
id: "04f5c34f-6518-512d-916c-4c2c2827c6a9"