Detection rules › Sublime MQL
Link: QR code with phishing disposition in img or pdf
This rule analyzes image attachments for QR Codes in which LinkAnalysis concludes is phishing. The rule ensures that the URLs do not link to any organizational domains.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | QR code, Social engineering |
Event coverage
| Message attribute |
|---|
| attachments (collection) |
| headers.auth_summary |
| sender.email |
| type |
Rule body MQL
type.inbound
and length(attachments) < 10
and any(attachments,
(.file_type in $file_types_images or .file_type == "pdf")
and any(file.explode(.),
.scan.qr.type == "url"
// linkanalysis phishing disposition
and any([ml.link_analysis(.scan.qr.url)],
.credphish.disposition == "phishing"
)
and .scan.qr.url.domain.root_domain not in $org_domains
)
)
and (
not profile.by_sender_email().solicited
or not profile.by_sender_email().any_messages_benign
or (
profile.by_sender_email().any_messages_malicious_or_spam
and not profile.by_sender_email().any_messages_benign
)
or (
sender.email.domain.domain in $org_domains
and not coalesce(headers.auth_summary.dmarc.pass, false)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Detection logic
Scope: inbound message.
This rule analyzes image attachments for QR Codes in which LinkAnalysis concludes is phishing. The rule ensures that the URLs do not link to any organizational domains.
- inbound message
- length(attachments) < 10
any of
attachmentswhere all hold:any of:
- .file_type in $file_types_images
- .file_type is 'pdf'
any of
file.explode(.)where all hold:- .scan.qr.type is 'url'
any of
[ml.link_analysis(.scan.qr.url)]where:- .credphish.disposition is 'phishing'
- .scan.qr.url.domain.root_domain not in $org_domains
any of:
not:
- profile.by_sender_email().solicited
not:
- profile.by_sender_email().any_messages_benign
all of:
- profile.by_sender_email().any_messages_malicious_or_spam
not:
- profile.by_sender_email().any_messages_benign
all of:
- sender.email.domain.domain in $org_domains
not:
- coalesce(headers.auth_summary.dmarc.pass)
any of:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
not:
- headers.auth_summary.dmarc.pass
- sender.email.domain.root_domain not in $high_trust_sender_root_domains
Inspects: attachments[].file_type, headers.auth_summary.dmarc.pass, sender.email.domain.domain, sender.email.domain.root_domain, type.inbound. Sensors: file.explode, ml.link_analysis, profile.by_sender_email. Reference lists: $file_types_images, $high_trust_sender_root_domains, $org_domains.
Indicators matched (3)
| Field | Match | Value |
|---|---|---|
attachments[].file_type | equals | pdf |
file.explode(attachments[])[].scan.qr.type | equals | url |
[ml.link_analysis(file.explode(attachments[])[].scan.qr.url)][].credphish.disposition | equals | phishing |