-
Notifications
You must be signed in to change notification settings - Fork 45
/
attachment_qr_code_suspicious_components.yml
92 lines (81 loc) · 3.55 KB
/
attachment_qr_code_suspicious_components.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
name: "Attachment: QR code with credential phishing indicators"
description: |
Detects messages with between 1-3 attachments containing a QR code with suspicious credential theft indicators, such as: LinkAnalysis credential phishing conclusion, decoded QR code url traverses suspicious infrastructure, the final destination is in URLhaus, decoded URL downloads a zip or executable, leverages URL shorteners, known QR abused openredirects, and more.
type: "rule"
severity: "medium"
source: |
type.inbound
and 1 <= length(attachments) < 3
// Inspects image attachments for QR codes
and any(attachments,
(.file_type in $file_types_images or .file_type == "pdf")
and (
any(file.explode(.),
.scan.qr.type == "url"
and (
// pass the QR URL to LinkAnalysis
any([ml.link_analysis(.scan.qr.url)],
.credphish.disposition == "phishing"
// any routing traverses via $suspicious_tld list
or any(.redirect_history, .domain.tld in $suspicious_tlds)
// effective destination in $suspicious_tld list
or .effective_url.domain.tld in $suspicious_tlds
// or the effective destination domain is in $abuse_ch_urlhaus_domains_trusted_reporters
or .effective_url.domain.root_domain in $abuse_ch_urlhaus_domains_trusted_reporters
// or any files downloaded are zips or executables
or any(.files_downloaded,
.file_extension in $file_extensions_common_archives
or .file_extension in $file_extensions_executables
)
)
or (
// or the QR code's root domain is a url_shortener
.scan.qr.url.domain.root_domain in $url_shorteners
// exclude google maps
and not strings.starts_with(.scan.qr.url.url, 'https://goo.gl/maps')
and not strings.starts_with(.scan.qr.url.url, 'https://maps.app.goo.gl')
)
// the QR code url is a bing open redirect
or .scan.qr.url.domain.root_domain == 'bing.com' and .scan.qr.url.path =~ '/ck/a'
or (
// usap-dc open redirect
.scan.qr.url.domain.root_domain == "usap-dc.org"
and .scan.qr.url.path =~ "/tracker"
and strings.starts_with(.scan.qr.url.query_params, "type=dataset&url=http")
)
)
)
)
)
and (
(
profile.by_sender().prevalence in ("new", "outlier")
and not profile.by_sender().solicited
)
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "QR code"
- "Social engineering"
detection_methods:
- "Computer Vision"
- "Header analysis"
- "Natural Language Understanding"
- "QR code analysis"
- "Sender analysis"
- "URL analysis"
- "URL screenshot"
id: "9f1681e1-8c15-5edd-9aaa-eb5af1729322"