Compensation review with QR code in attached EML

Severity: high
Type: rule
Source: github.com/sublime-security/sublime-rules

Detects inbound messages containing compensation-related terms (salary, bonus, merit, etc.) combined with review/change language that include EML attachments containing QR codes or barcodes in scanned documents.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

Category	Values
Attack types	Credential Phishing
Tactics and techniques	QR code, Social engineering

Event coverage

Message attribute
attachments (collection)
headers (collection)
headers.auth_summary
headers.domains (collection)
sender.email
subject
type

Rule body MQL

type.inbound

// the subject contains pay related items
and (
  strings.icontains(subject.subject, 'salary')
  or regex.icontains(subject.subject, 'comp(?:liance|ensation|\b)')
  or strings.icontains(subject.subject, 'remuneration')
  or regex.icontains(subject.subject, '\bpay(?:roll|\b)')
  or strings.icontains(subject.subject, 'bonus')
  or strings.icontains(subject.subject, 'incentive')
  or strings.icontains(subject.subject, 'merit')
  or strings.icontains(subject.subject, 'handbook')
  or strings.icontains(subject.subject, 'benefits')
)
// subjects include review/updates/changes
and (
  strings.icontains(subject.subject, 'review')
  or strings.icontains(subject.subject, 'Summary')
  or strings.icontains(subject.subject, 'evaluation')
  or regex.icontains(subject.subject, 'eval\b')
  or strings.icontains(subject.subject, 'assessment')
  or strings.icontains(subject.subject, 'appraisal')
  or strings.icontains(subject.subject, 'feedback')
  or strings.icontains(subject.subject, 'performance')
  or strings.icontains(subject.subject, 'adjustment')
  or strings.icontains(subject.subject, 'statement')
  or strings.icontains(subject.subject, 'increase')
  or strings.icontains(subject.subject, 'raise')
  or strings.icontains(subject.subject, 'change')
  or strings.icontains(subject.subject, 'modification')
  or strings.icontains(subject.subject, 'distribution')
  or strings.icontains(subject.subject, 'Disbursement')
  or regex.icontains(subject.subject, 'revis(?:ed|ion)')
  or regex.icontains(subject.subject, 'amend(?:ed|ment)')
  or strings.icontains(subject.subject, 'update')
)
and any(filter(attachments,
               .content_type == "message/rfc822" or .file_extension in ('eml')
        ),
        // inspect attachments in nested EML
        any(file.parse_eml(.).attachments,
            any(file.explode(.),
                (
                  regex.icontains(.scan.ocr.raw, 'scan|camera')
                  and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
                )
                or .scan.qr.type == "url" and .scan.qr.url.domain.valid
            )
        )
        // inspect nested EML in body.current_thread
        or (
          regex.icontains(file.parse_eml(.).body.current_thread.text,
                          'scan|camera'
          )
          and regex.icontains(file.parse_eml(.).body.current_thread.text,
                              '\bQR\b|Q\.R\.|barcode'
          )
        )
        // or there is a QR code found within the body of the nested body
        or (
          beta.scan_qr(file.html_screenshot(file.parse_eml(.).body.html)).found
          and any(beta.scan_qr(file.html_screenshot(file.parse_eml(.).body.html)
                  ).items,
                  .type == "url" and .url.domain.valid
          )
        )
)

// negate instances where proofpoint sends a review of a reported message via analyzer 
and not (
  sender.email.email == "analyzer@analyzer.securityeducation.com"
  and any(headers.domains, .root_domain == "pphosted.com")
  and headers.auth_summary.spf.pass
  and headers.auth_summary.dmarc.pass
)

Detection logic

Scope: inbound message.

inbound message
any of:
- subject.subject contains 'salary'
- subject.subject matches 'comp(?:liance|ensation|\\b)'
- subject.subject contains 'remuneration'
- subject.subject matches '\\bpay(?:roll|\\b)'
- subject.subject contains 'bonus'
- subject.subject contains 'incentive'
- subject.subject contains 'merit'
- subject.subject contains 'handbook'
- subject.subject contains 'benefits'
any of:
- subject.subject contains 'review'
- subject.subject contains 'Summary'
- subject.subject contains 'evaluation'
- subject.subject matches 'eval\\b'
- subject.subject contains 'assessment'
- subject.subject contains 'appraisal'
- subject.subject contains 'feedback'
- subject.subject contains 'performance'
- subject.subject contains 'adjustment'
- subject.subject contains 'statement'
- subject.subject contains 'increase'
- subject.subject contains 'raise'
- subject.subject contains 'change'
- subject.subject contains 'modification'
- subject.subject contains 'distribution'
- subject.subject contains 'Disbursement'
- subject.subject matches 'revis(?:ed|ion)'
- subject.subject matches 'amend(?:ed|ment)'
- subject.subject contains 'update'
any of filter(attachments) where any holds:
- any of file.parse_eml(.).attachments where:
  - any of file.explode(.) where any holds:
    
    all of:
    
    .scan.ocr.raw matches 'scan|camera'
    .scan.ocr.raw matches '\\bQR\\b|Q\\.R\\.|barcode'
    all of:
    
    .scan.qr.type is 'url'
    .scan.qr.url.domain.valid
- all of:
  - file.parse_eml(.).body.current_thread.text matches 'scan|camera'
  - file.parse_eml(.).body.current_thread.text matches '\\bQR\\b|Q\\.R\\.|barcode'
- all of:
  - beta.scan_qr(file.html_screenshot(file.parse_eml(.).body.html)).found
  - any of beta.scan_qr(file.html_screenshot(file.parse_eml(.).body.html)).items where all hold:
    
    .type is 'url'
    .url.domain.valid
not:
- all of:
  - sender.email.email is 'analyzer@analyzer.securityeducation.com'
  - any of headers.domains where:
    
    .root_domain is 'pphosted.com'
  - headers.auth_summary.spf.pass
  - headers.auth_summary.dmarc.pass

Inspects: attachments[].content_type, attachments[].file_extension, headers.auth_summary.dmarc.pass, headers.auth_summary.spf.pass, headers.domains, headers.domains[].root_domain, sender.email.email, subject.subject, type.inbound. Sensors: beta.scan_qr, file.explode, file.html_screenshot, file.parse_eml, regex.icontains, strings.icontains.

Indicators matched (36)

Field	Match	Value
`strings.icontains`	substring	`salary`
`regex.icontains`	regex	`comp(?:liance\|ensation\|\b)`
`strings.icontains`	substring	`remuneration`
`regex.icontains`	regex	`\bpay(?:roll\|\b)`
`strings.icontains`	substring	`bonus`
`strings.icontains`	substring	`incentive`
`strings.icontains`	substring	`merit`
`strings.icontains`	substring	`handbook`
`strings.icontains`	substring	`benefits`
`strings.icontains`	substring	`review`
`strings.icontains`	substring	`Summary`
`strings.icontains`	substring	`evaluation`

24 more

`regex.icontains`	regex	`eval\b`
`strings.icontains`	substring	`assessment`
`strings.icontains`	substring	`appraisal`
`strings.icontains`	substring	`feedback`
`strings.icontains`	substring	`performance`
`strings.icontains`	substring	`adjustment`
`strings.icontains`	substring	`statement`
`strings.icontains`	substring	`increase`
`strings.icontains`	substring	`raise`
`strings.icontains`	substring	`change`
`strings.icontains`	substring	`modification`
`strings.icontains`	substring	`distribution`
`strings.icontains`	substring	`Disbursement`
`regex.icontains`	regex	`revis(?:ed\|ion)`
`regex.icontains`	regex	`amend(?:ed\|ment)`
`strings.icontains`	substring	`update`
`attachments[].content_type`	equals	`message/rfc822`
`attachments[].file_extension`	member	`eml`
`regex.icontains`	regex	`scan\|camera`
`regex.icontains`	regex	`\bQR\b\|Q\.R\.\|barcode`
`file.explode(file.parse_eml(filter(attachments)[]).attachments[])[].scan.qr.type`	equals	`url`
`beta.scan_qr(file.html_screenshot(file.parse_eml(filter(attachments)[]).body.html)).items[].type`	equals	`url`
`sender.email.email`	equals	`analyzer@analyzer.securityeducation.com`
`headers.domains[].root_domain`	equals	`pphosted.com`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)