Detection rules › Sublime MQL
Attachment: HTML smuggling - QR Code with suspicious links
This rule detects messages with HTML attachments containing QR codes
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | QR code |
Event coverage
| Message attribute |
|---|
| attachments (collection) |
| headers.auth_summary |
| sender.email |
| type |
Rule body MQL
type.inbound
and 1 <= length(attachments) < 3
// inspects HTML attachments for QR codes
and any(attachments,
(
.file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml")
or (
.file_extension is null
and .file_type == "unknown"
and .content_type == "application/octet-stream"
)
or .file_extension in~ $file_extensions_common_archives
or .file_type == "html"
or .content_type == "text/html"
)
and any(file.explode(file.html_screenshot(.)),
// any URL
ml.link_analysis(.scan.qr.url).submitted
// currently we won't pick it up as a URL if it's
// not prefaced with a scheme. this is not very strong,
// but it's unlikely to cause FPs for this rule
or regex.contains(.scan.qr.data, '\.')
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
Detection logic
Scope: inbound message.
This rule detects messages with HTML attachments containing QR codes
- inbound message
all of:
- length(attachments) ≥ 1
- length(attachments) < 3
any of
attachmentswhere all hold:any of:
- .file_extension in ('html', 'htm', 'shtml', 'dhtml', 'xhtml')
all of:
- .file_extension is missing
- .file_type is 'unknown'
- .content_type is 'application/octet-stream'
- .file_extension in $file_extensions_common_archives
- .file_type is 'html'
- .content_type is 'text/html'
any of
file.explode(...)where any holds:- ml.link_analysis(.scan.qr.url).submitted
- .scan.qr.data matches '\\.'
any of:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
not:
- headers.auth_summary.dmarc.pass
- sender.email.domain.root_domain not in $high_trust_sender_root_domains
any of:
not:
- profile.by_sender().solicited
all of:
- profile.by_sender().any_messages_malicious_or_spam
not:
- profile.by_sender().any_messages_benign
not:
- profile.by_sender().any_messages_benign
Inspects: attachments[].content_type, attachments[].file_extension, attachments[].file_type, headers.auth_summary.dmarc.pass, sender.email.domain.root_domain, type.inbound. Sensors: file.explode, file.html_screenshot, ml.link_analysis, profile.by_sender, regex.contains. Reference lists: $file_extensions_common_archives, $high_trust_sender_root_domains.
Indicators matched (10)
| Field | Match | Value |
|---|---|---|
attachments[].file_extension | member | html |
attachments[].file_extension | member | htm |
attachments[].file_extension | member | shtml |
attachments[].file_extension | member | dhtml |
attachments[].file_extension | member | xhtml |
attachments[].file_type | equals | unknown |
attachments[].content_type | equals | application/octet-stream |
attachments[].file_type | equals | html |
attachments[].content_type | equals | text/html |
regex.contains | regex | \. |