sublime-security · morriscode · Sep 28, 2023 · Sep 28, 2023 · Sep 28, 2023 · Sep 28, 2023
@@ -0,0 +1,83 @@
+name: "Attachment: QR code with credential phishing indicators"
+description: |
+  Detects messages with between 1-3 attachments containing a QR code with suspicious credential theft indicators, such as: LinkAnalysis credential phishing conclusion, decoded QR code url traverses suspicious infrastructure, the final destination is in URLhaus, decoded  URL downloads a zip or executable, leverages URL shorteners, known QR abused openredirects, and more. 
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and 1 <= length(attachments) < 3
+
+  // Inspects image attachments for QR codes
+  and any(attachments,
+          .file_type in $file_types_images
+          and (
+            any(file.explode(.),
+                .scan.qr.type == "url"
+                and (
+                  // pass the QR URL to LinkAnalysis
+                  any([beta.linkanalysis(.scan.qr.url)],
+                      .credphish.disposition == "phishing"
+
+                      // any routing traverses via $suspicious_tld list
+                      or any(.redirect_history, .domain.tld in $suspicious_tlds)
+
+                      // effective destination in $suspicious_tld list
+                      or .effective_url.domain.tld in $suspicious_tlds
+
+                      // or the effective destination domain is in $abuse_ch_urlhaus_domains_trusted_reporters
+                      or .effective_url.domain.root_domain in $abuse_ch_urlhaus_domains_trusted_reporters
+
+                      // or any files downloaded are zips or executables
+                      or any(.files_downloaded,
+                             .file_extension in $file_extensions_common_archives
+                             or .file_extension in $file_extensions_executables
+                      )
+                  )
+                  or (
+
+                    // or the QR code's root domain is a url_shortener
+                    .scan.qr.url.domain.root_domain in $url_shorteners
+
+                    // exclude google maps
+                    and not strings.starts_with(.scan.qr.url.url, 'https://goo.gl/maps')
+                  )
+
+                  // the QR code url is a bing open redirect
+                  or .scan.qr.url.domain.root_domain == 'bing.com' and .scan.qr.url.path =~ '/ck/a'
+                  or (
+
+                    // usap-dc open redirect
+                    .scan.qr.url.domain.root_domain == "usap-dc.org"
+                    and .scan.qr.url.path =~ "/tracker"
+                    and strings.starts_with(.scan.qr.url.query_params, "type=dataset&url=http")
+                  )
+                )
+            )
+          )
+  )
+
+  // first time sender
+  and (
+            (
+                sender.email.domain.root_domain in $free_email_providers
+                and sender.email.email not in $sender_emails
+            )
+            or (
+                sender.email.domain.root_domain not in $free_email_providers
+                and sender.email.domain.domain not in $sender_domains
+            )
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "QR code"
+  - "Social engineering"
+detection_methods:
+  - "Computer Vision"
+  - "Header analysis"
+  - "Natural Language Understanding"
+  - "QR code analysis"
+  - "Sender analysis"
+  - "URL analysis"
+  - "URL screenshot"
+id: "9f1681e1-8c15-5edd-9aaa-eb5af1729322"