Detection rules › Sublime MQL
QR code to auto-download of a suspicious file type (unsolicited)
A QR code in the body of the email downloads a suspicious file type (or embedded file) such as an LNK, JS, or VBA. Recursively explodes auto-downloaded files within archives to detect these file types.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Malware/Ransomware |
| Tactics and techniques | Evasion, LNK, Social engineering |
Event coverage
| Message attribute |
|---|
| headers.auth_summary |
| sender.email |
| type |
Rule body MQL
type.inbound
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
and beta.scan_qr(file.message_screenshot()).found
and any(beta.scan_qr(file.message_screenshot()).items,
any(ml.link_analysis(.url).files_downloaded,
strings.ilike(.file_name, "*.exe")
or .file_extension in (
"dll",
"exe",
"html",
"lnk",
"js",
"vba",
"vbs",
"vbe",
"bat",
"py",
"ics",
"sh",
"ps1"
)
// or call file.explode to get yara/mime types
or any(file.explode(.),
// file ext is not dll but is exe mime/yara
(
.file_extension not in ("dll", "exe")
and (
.flavors.mime in ("application/x-dosexec")
or any(.flavors.yara, . in ('mz_file'))
)
)
// or a macho file
or any(.flavors.yara, . == "macho_file")
)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
Detection logic
Scope: inbound message.
A QR code in the body of the email downloads a suspicious file type (or embedded file) such as an LNK, JS, or VBA. Recursively explodes auto-downloaded files within archives to detect these file types.
- inbound message
- beta.scan_qr(file.message_screenshot()).found
any of
beta.scan_qr(file.message_screenshot()).itemswhere:any of
ml.link_analysis(.url).files_downloadedwhere any holds:- .file_name matches '*.exe'
- .file_extension in ('dll', 'exe', 'html', 'lnk', 'js', 'vba', 'vbs', 'vbe', 'bat', 'py', 'ics', 'sh', 'ps1')
any of
file.explode(.)where any holds:all of:
- .file_extension not in ('dll', 'exe')
any of:
- .flavors.mime in ('application/x-dosexec')
any of
.flavors.yarawhere:- . in ('mz_file')
any of
.flavors.yarawhere:- . is 'macho_file'
any of:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
not:
- headers.auth_summary.dmarc.pass
- sender.email.domain.root_domain not in $high_trust_sender_root_domains
any of:
not:
- profile.by_sender().solicited
all of:
- profile.by_sender().any_messages_malicious_or_spam
not:
- profile.by_sender().any_messages_benign
Inspects: headers.auth_summary.dmarc.pass, sender.email.domain.root_domain, type.inbound. Sensors: beta.scan_qr, file.explode, file.message_screenshot, ml.link_analysis, profile.by_sender, strings.ilike. Reference lists: $high_trust_sender_root_domains.
Indicators matched (19)
| Field | Match | Value |
|---|---|---|
strings.ilike | substring | *.exe |
ml.link_analysis(beta.scan_qr(file.message_screenshot()).items[].url).files_downloaded[].file_extension | member | dll |
ml.link_analysis(beta.scan_qr(file.message_screenshot()).items[].url).files_downloaded[].file_extension | member | exe |
ml.link_analysis(beta.scan_qr(file.message_screenshot()).items[].url).files_downloaded[].file_extension | member | html |
ml.link_analysis(beta.scan_qr(file.message_screenshot()).items[].url).files_downloaded[].file_extension | member | lnk |
ml.link_analysis(beta.scan_qr(file.message_screenshot()).items[].url).files_downloaded[].file_extension | member | js |
ml.link_analysis(beta.scan_qr(file.message_screenshot()).items[].url).files_downloaded[].file_extension | member | vba |
ml.link_analysis(beta.scan_qr(file.message_screenshot()).items[].url).files_downloaded[].file_extension | member | vbs |
ml.link_analysis(beta.scan_qr(file.message_screenshot()).items[].url).files_downloaded[].file_extension | member | vbe |
ml.link_analysis(beta.scan_qr(file.message_screenshot()).items[].url).files_downloaded[].file_extension | member | bat |
ml.link_analysis(beta.scan_qr(file.message_screenshot()).items[].url).files_downloaded[].file_extension | member | py |
ml.link_analysis(beta.scan_qr(file.message_screenshot()).items[].url).files_downloaded[].file_extension | member | ics |
7 more
ml.link_analysis(beta.scan_qr(file.message_screenshot()).items[].url).files_downloaded[].file_extension | member | sh |
ml.link_analysis(beta.scan_qr(file.message_screenshot()).items[].url).files_downloaded[].file_extension | member | ps1 |
file.explode(ml.link_analysis(beta.scan_qr(file.message_screenshot()).items[].url).files_downloaded[])[].file_extension | member | dll |
file.explode(ml.link_analysis(beta.scan_qr(file.message_screenshot()).items[].url).files_downloaded[])[].file_extension | member | exe |
file.explode(ml.link_analysis(beta.scan_qr(file.message_screenshot()).items[].url).files_downloaded[])[].flavors.mime | member | application/x-dosexec |
file.explode(ml.link_analysis(beta.scan_qr(file.message_screenshot()).items[].url).files_downloaded[])[].flavors.yara[] | member | mz_file |
file.explode(ml.link_analysis(beta.scan_qr(file.message_screenshot()).items[].url).files_downloaded[])[].flavors.yara[] | equals | macho_file |