QR Code with suspicious indicators

Severity: high
Type: rule
Source: github.com/sublime-security/sublime-rules

This rule flags messages with QR codes in attachments when there are three or fewer attachments. If no attachments are present, the rule captures a screenshot of the message for analysis. Additional triggers include: sender's name containing the recipient's SLD, recipient's email mentioned in the body, an empty message body, a suspicious subject, or undisclosed recipients.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

Category	Values
Attack types	Credential Phishing
Tactics and techniques	QR code, Social engineering

Event coverage

Message attribute
attachments (collection)
body.current_thread
body.html
headers (collection)
headers.auth_summary
recipients
recipients.to (collection)
sender
sender.email
subject
type

Rule body MQL

type.inbound
and (
  (
    length(attachments) <= 3
    or (
      any(attachments, length(ml.logo_detect(.).brands) > 0)
      and length(attachments) <= 10
    )
  )
  and (
    any(attachments,
        (
          .file_type in $file_types_images
          or .file_extension in $file_extensions_macros
          or .file_type == "pdf"
        )
        and (
          any(file.explode(.),
              (
                .scan.qr.type is not null
                and regex.contains(.scan.qr.data, '\.')
                and not strings.starts_with(.scan.qr.data,
                                            "https://qr.skyqr.co.za/"
                )
                and not (
                  strings.icontains(.scan.qr.data, ',')
                  and .scan.qr.type == 'undefined'
                )
                // not a json string
                and not (
                  strings.starts_with(.scan.qr.data, '{')
                  and strings.ends_with(.scan.qr.data, '}')
                )
                // exclude images taken with mobile cameras and screenshots from android
                and not any(.scan.exiftool.fields,
                            .key == "Model"
                            or (
                              .key == "Software"
                              and strings.starts_with(.value, "Android")
                            )
                )
                // exclude images taken with mobile cameras and screenshots from Apple
                and not any(.scan.exiftool.fields,
                            .key == "DeviceManufacturer"
                            and .value == "Apple Computer Inc."
                )
                // exclude images from WhatsApp (mobile)
                and not regex.match(.file_name,
                                    'WhatsApp Image \d\d\d\d-\d\d-\d\d at.*.jpe?g'
                )
                and not (
                  (
                    .scan.exiftool.image_height > 3000
                    and .scan.exiftool.image_height is not null
                  )
                  or (
                    .scan.exiftool.image_width > 3000
                    and .scan.exiftool.image_width is not null
                  )
                )
                // exclude contact cards
                and not strings.istarts_with(.scan.qr.data, "BEGIN:VCARD")

                // negate QR codes to legit Servicio de Administración Tributaria (SAT) Gov links
                and not (
                  .scan.qr.url.domain.root_domain is not null
                  and .scan.qr.url.domain.root_domain in ('sat.gob.mx')
                )
                and not (
                  .scan.qr.data is not null
                  and strings.icontains(.scan.qr.data, 'sat.gob.mx')
                )
              )
              or (
                regex.icontains(.scan.ocr.raw,
                                '(?:scan|camera|review and sign)'
                )
                and regex.icontains(.scan.ocr.raw, '(?:\bQR\b|Q\.R\.|barcode)')
              )
          )
        )
    )
    or (
      length(attachments) == 0
      //
      // This rule makes use of a beta feature and is subject to change without notice
      // using the beta feature in custom rules is not suggested until it has been formally released
      //
      and (
        (
          beta.parse_exif(file.message_screenshot()).image_height < 2000
          and beta.parse_exif(file.message_screenshot()).image_width < 2000
        )
        // ignore image height/width if there is excessive whitespace padding
        or regex.contains(body.html.raw, '\"padding:0px 0px \d{3,4}px 0px')
      )
      and any(beta.scan_qr(file.message_screenshot()).items,
              .type is not null
              and regex.contains(.data, '\.')
              // exclude contact cards
              and not strings.istarts_with(.data, "BEGIN:VCARD")
      )
    )
  )
  and (
    any(recipients.to,
        strings.icontains(sender.display_name, .email.domain.sld)
    )
    or length(body.current_thread.text) is null
    or (
      body.current_thread.text == ""
      and (
        (
          (length(headers.references) > 0 or headers.in_reply_to is null)
          and not (
            (
              strings.istarts_with(subject.subject, "RE:")
              or strings.istarts_with(subject.subject, "RES:")
              or strings.istarts_with(subject.subject, "R:")
              or strings.istarts_with(subject.subject, "ODG:")
              or strings.istarts_with(subject.subject, "答复:")
              or strings.istarts_with(subject.subject, "AW:")
              or strings.istarts_with(subject.subject, "TR:")
              or strings.istarts_with(subject.subject, "FWD:")
              or regex.imatch(subject.subject,
                              '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*'
              )
            )
          )
        )
        or length(headers.references) == 0
      )
    )
    or regex.contains(subject.subject,
                      "(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)"
    )
    or (any(recipients.to, strings.icontains(subject.subject, .display_name)))
    or (
      regex.icontains(subject.subject,
                      "termination.*notice",
                      "38417",
                      ":completed",
                      "[il1]{2}mit.*ma[il1]{2} ?bo?x",
                      "[il][il][il]egai[ -]",
                      "[li][li][li]ega[li] attempt",
                      "[ng]-?[io]n .*block",
                      "[ng]-?[io]n .*cancel",
                      "[ng]-?[io]n .*deactiv",
                      "[ng]-?[io]n .*disabl",
                      "action.*required",
                      "abandon.*package",
                      "about.your.account",
                      "acc(ou)?n?t (is )?on ho[li]d",
                      "acc(ou)?n?t.*terminat",
                      "acc(oun)?t.*[il1]{2}mitation",
                      "access.*limitation",
                      "account (will be )?block",
                      "account.*de-?activat",
                      "account.*locked",
                      "account.*re-verification",
                      "account.*security",
                      "account.*suspension",
                      "account.has.been",
                      "account.has.expired",
                      "account.will.be.blocked",
                      "account v[il]o[li]at",
                      "activity.*acc(oun)?t",
                      "all.?staff",
                      "almost.full",
                      "app[li]e.[il]d",
                      "authenticate.*account",
                      "been.*suspend",
                      "bonus",
                      "clos.*of.*account.*processed",
                      "confirm.your.account",
                      "courier.*able",
                      "crediential.*notif",
                      "deactivation.*in.*progress",
                      "delivery.*attempt.*failed",
                      "document.received",
                      "documented.*shared.*with.*you",
                      "dropbox.*document",
                      "e-?ma[il1]+ .{010}suspen",
                      "e-?ma[il1]{1} user",
                      "e-?ma[il1]{2} acc",
                      "e-?ma[il1]{2}.*up.?grade",
                      "e.?ma[il1]{2}.*server",
                      "e.?ma[il1]{2}.*suspend",
                      "email.update",
                      "faxed you",
                      "fraud(ulent)?.*charge",
                      "from.helpdesk",
                      "fu[il1]{2}.*ma[il1]+[ -]?box",
                      "has.been.*suspended",
                      "has.been.limited",
                      "have.locked",
                      "he[li]p ?desk upgrade",
                      "heipdesk",
                      "i[il]iega[il]",
                      "ii[il]ega[il]",
                      "incoming e?mail",
                      "incoming.*fax",
                      "lock.*security",
                      "ma[il1]{1}[ -]?box.*quo",
                      "ma[il1]{2}[ -]?box.*fu[il1]",
                      "ma[il1]{2}box.*[il1]{2}mit",
                      "ma[il1]{2}box stor",
                      "mail on.?hold",
                      "mail.*box.*migration",
                      "mail.*de-?activat",
                      "mail.update.required",
                      "mails.*pending",
                      "messages.*pending",
                      "missed.*shipping.*notification",
                      "missed.shipment.notification",
                      "must.update.your.account",
                      "new [sl][io]g?[nig][ -]?in from",
                      "new voice ?-?mail",
                      "notifications.*pending",
                      "office.*3.*6.*5.*suspend",
                      "office365",
                      "on google docs with you",
                      "online doc",
                      "password.*compromised",
                      "payment advice",
                      "periodic maintenance",
                      "potential(ly)? unauthorized",
                      "refund not approved",
                      "report",
                      "revised.*policy",
                      "scam",
                      "scanned.?invoice",
                      "secured?.update",
                      "security breach",
                      "securlty",
                      "seguranca",
                      "signed.*delivery",
                      "status of your .{314}? ?delivery",
                      "susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty",
                      "suspicious.*sign.*[io]n",
                      "suspicious.activit",
                      "temporar(il)?y deactivate",
                      "temporar[il1]{2}y disab[li]ed",
                      "temporarily.*lock",
                      "un-?usua[li].activity",
                      "unable.*deliver",
                      "unauthorized.*activit",
                      "unauthorized.device",
                      "undelivered message",
                      "unread.*doc",
                      "unusual.activity",
                      "upgrade.*account",
                      "upgrade.notice",
                      "urgent message",
                      "urgent.verification",
                      "v[il1]o[li1]at[il1]on security",
                      "va[il1]{1}date.*ma[il1]{2}[ -]?box",
                      "verification ?-?require",
                      "verification( )?-?need",
                      "verify.your?.account",
                      "web ?-?ma[il1]{2}",
                      "web[ -]?ma[il1]{2}",
                      "will.be.suspended",
                      "your (customer )?account .as",
                      "your.office.365",
                      "your.online.access"
      )
      or any($suspicious_subjects, strings.icontains(subject.subject, .))
      or regex.icontains(sender.display_name,
                         "Accounts.?Payable",
                         "Admin",
                         "Administrator",
                         "Alert",
                         "Assistant",
                         "Billing",
                         "Benefits",
                         "Bonus",
                         "CEO",
                         "CFO",
                         "CIO",
                         "CTO",
                         "Chairman",
                         "Claim",
                         "Confirm",
                         "Critical",
                         "Customer Service",
                         "Deal",
                         "Discount",
                         "Director",
                         "Exclusive",
                         "Executive",
                         "Fax",
                         "Free",
                         "Gift",
                         "/bHR/b",
                         "Helpdesk",
                         "Human Resources",
                         "Immediate",
                         "Important",
                         "Info",
                         "Information",
                         "Invoice",
                         '\bIT\b',
                         "Legal",
                         "Lottery",
                         "Management",
                         "Manager",
                         "Member Services",
                         "Notification",
                         "Offer",
                         "Operations",
                         "Order",
                         "Partner",
                         "Payment",
                         "Payroll",
                         "President",
                         "Premium",
                         "Prize",
                         "Receipt",
                         "Refund",
                         "Registrar",
                         "Required",
                         "Reward",
                         "Sales",
                         "Secretary",
                         "Security",
                         "Service",
                         "Signature",
                         "StaffAnnouncement",
                         "Storage",
                         "Support",
                         "Sweepstakes",
                         "System",
                         "Tax",
                         "Tech Support",
                         "Update",
                         "Upgrade",
                         "Urgent",
                         "Validate",
                         "Verify",
                         "VIP",
                         "Webmaster",
                         "Winner",
      )
    )
    or (
      (
        length(recipients.to) == 0
        or all(recipients.to, .display_name == "Undisclosed recipients")
      )
      and length(recipients.cc) == 0
      and length(recipients.bcc) == 0
    )
    or any(beta.scan_qr(file.message_screenshot()).items,
           (
             .url.domain.tld in $suspicious_tlds
             and .url.domain.root_domain != "app.link"
           )
           // linkanalysis phishing disposition
           or ml.link_analysis(.url).credphish.disposition == "phishing"
    )
    or any(attachments,
           (
             .file_type in $file_types_images
             or .file_extension in $file_extensions_macros
             or .file_type == "pdf"
           )
           and any(file.explode(.),
                   (
                     .scan.qr.url.domain.tld in $suspicious_tlds
                     and .scan.qr.url.domain.root_domain != "app.link"
                     and .scan.qr.url.domain.root_domain != "qr.link"
                     and .scan.qr.url.domain.root_domain != "skyqr.co.za"
                   )
                   and .scan.qr.url.domain.root_domain not in $org_domains
           )
    )
    or sender.email.domain.tld in $suspicious_tlds
  )
)

// sender profile is new or outlier
and (
  profile.by_sender_email().any_messages_malicious_or_spam
  or (
    sender.email.domain.domain in $org_domains
    and not coalesce(headers.auth_summary.dmarc.pass, false)
  )
  or (
    profile.by_sender_email().prevalence in ("new", "outlier")
    and not profile.by_sender_email().solicited
  )
)
and not profile.by_sender_email().any_messages_benign
// negate highly trusted sender domains unless they fail DMARC authentication
and not (
  sender.email.domain.root_domain in $high_trust_sender_root_domains
  and coalesce(headers.auth_summary.dmarc.pass, false)
)

Detection logic

Scope: inbound message.

inbound message
all of:
- any of:
  - length(attachments) ≤ 3
  - all of:
    
    any of attachments where:
    
    length(ml.logo_detect(.).brands) > 0
    length(attachments) ≤ 10
- any of:
  - any of attachments where all hold:
    
    any of:
    
    .file_type in $file_types_images
    .file_extension in $file_extensions_macros
    .file_type is 'pdf'
    any of file.explode(.) where any holds:
    
    all of:
    
    .scan.qr.type is set
    .scan.qr.data matches '\\.'
    not:
    
    .scan.qr.data starts with 'https://qr.skyqr.co.za/'
    not:
    
    all of:
    
    .scan.qr.data contains ','
    .scan.qr.type is 'undefined'
    not:
    
    all of:
    
    .scan.qr.data starts with '{'
    .scan.qr.data ends with '}'
    not:
    
    any of .scan.exiftool.fields where any holds:
    
    .key is 'Model'
    all of:
    
    .key is 'Software'
    .value starts with 'Android'
    not:
    
    any of .scan.exiftool.fields where all hold:
    
    .key is 'DeviceManufacturer'
    .value is 'Apple Computer Inc.'
    not:
    
    .file_name matches 'WhatsApp Image \\d\\d\\d\\d-\\d\\d-\\d\\d at.*.jpe?g'
    none of:
    
    all of:
    
    .scan.exiftool.image_height > 3000
    .scan.exiftool.image_height is set
    all of:
    
    .scan.exiftool.image_width > 3000
    .scan.exiftool.image_width is set
    not:
    
    .scan.qr.data starts with 'BEGIN:VCARD'
    not:
    
    all of:
    
    .scan.qr.url.domain.root_domain is set
    .scan.qr.url.domain.root_domain in ('sat.gob.mx')
    not:
    
    all of:
    
    .scan.qr.data is set
    .scan.qr.data contains 'sat.gob.mx'
    all of:
    
    .scan.ocr.raw matches '(?:scan|camera|review and sign)'
    .scan.ocr.raw matches '(?:\\bQR\\b|Q\\.R\\.|barcode)'
  - all of:
    
    length(attachments) is 0
    any of:
    
    all of:
    
    beta.parse_exif(file.message_screenshot()).image_height < 2000
    beta.parse_exif(file.message_screenshot()).image_width < 2000
    body.html.raw matches '\\"padding:0px 0px \\d{3,4}px 0px'
    any of beta.scan_qr(file.message_screenshot()).items where all hold:
    
    .type is set
    .data matches '\\.'
    not:
    
    .data starts with 'BEGIN:VCARD'
- any of:
  - any of recipients.to where:
    
    strings.icontains(sender.display_name)
  - length(body.current_thread.text) is missing
  - all of:
    
    body.current_thread.text is ''
    any of:
    
    all of:
    
    any of:
    
    length(headers.references) > 0
    headers.in_reply_to is missing
    none of:
    
    subject.subject starts with 'RE:'
    subject.subject starts with 'RES:'
    subject.subject starts with 'R:'
    subject.subject starts with 'ODG:'
    subject.subject starts with '答复:'
    subject.subject starts with 'AW:'
    subject.subject starts with 'TR:'
    subject.subject starts with 'FWD:'
    subject.subject matches '(\\[[^\\]]+\\]\\s?){0,3}(re|fwd?|automat.*)\\s?:.*'
    length(headers.references) is 0
  - subject.subject matches '(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)'
  - any of recipients.to where:
    
    strings.icontains(subject.subject)
  - any of:
    
    subject.subject matches any of 127 patterns
    
    termination.*notice
    38417
    :completed
    [il1]{2}mit.*ma[il1]{2} ?bo?x
    [il][il][il]egai[ -]
    [li][li][li]ega[li] attempt
    [ng]-?[io]n .*block
    [ng]-?[io]n .*cancel
    [ng]-?[io]n .*deactiv
    [ng]-?[io]n .*disabl
    action.*required
    abandon.*package
    about.your.account
    acc(ou)?n?t (is )?on ho[li]d
    acc(ou)?n?t.*terminat
    acc(oun)?t.*[il1]{2}mitation
    access.*limitation
    account (will be )?block
    account.*de-?activat
    account.*locked
    account.*re-verification
    account.*security
    account.*suspension
    account.has.been
    account.has.expired
    account.will.be.blocked
    account v[il]o[li]at
    activity.*acc(oun)?t
    all.?staff
    almost.full
    app[li]e.[il]d
    authenticate.*account
    been.*suspend
    bonus
    clos.*of.*account.*processed
    confirm.your.account
    courier.*able
    crediential.*notif
    deactivation.*in.*progress
    delivery.*attempt.*failed
    document.received
    documented.*shared.*with.*you
    dropbox.*document
    e-?ma[il1]+ .{010}suspen
    e-?ma[il1]{1} user
    e-?ma[il1]{2} acc
    e-?ma[il1]{2}.*up.?grade
    e.?ma[il1]{2}.*server
    e.?ma[il1]{2}.*suspend
    email.update
    faxed you
    fraud(ulent)?.*charge
    from.helpdesk
    fu[il1]{2}.*ma[il1]+[ -]?box
    has.been.*suspended
    has.been.limited
    have.locked
    he[li]p ?desk upgrade
    heipdesk
    i[il]iega[il]
    ii[il]ega[il]
    incoming e?mail
    incoming.*fax
    lock.*security
    ma[il1]{1}[ -]?box.*quo
    ma[il1]{2}[ -]?box.*fu[il1]
    ma[il1]{2}box.*[il1]{2}mit
    ma[il1]{2}box stor
    mail on.?hold
    mail.*box.*migration
    mail.*de-?activat
    mail.update.required
    mails.*pending
    messages.*pending
    missed.*shipping.*notification
    missed.shipment.notification
    must.update.your.account
    new [sl][io]g?[nig][ -]?in from
    new voice ?-?mail
    notifications.*pending
    office.*3.*6.*5.*suspend
    office365
    on google docs with you
    online doc
    password.*compromised
    payment advice
    periodic maintenance
    potential(ly)? unauthorized
    refund not approved
    report
    revised.*policy
    scam
    scanned.?invoice
    secured?.update
    security breach
    securlty
    seguranca
    signed.*delivery
    status of your .{314}? ?delivery
    susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty
    suspicious.*sign.*[io]n
    suspicious.activit
    temporar(il)?y deactivate
    temporar[il1]{2}y disab[li]ed
    temporarily.*lock
    un-?usua[li].activity
    unable.*deliver
    unauthorized.*activit
    unauthorized.device
    undelivered message
    unread.*doc
    unusual.activity
    upgrade.*account
    upgrade.notice
    urgent message
    urgent.verification
    v[il1]o[li1]at[il1]on security
    va[il1]{1}date.*ma[il1]{2}[ -]?box
    verification ?-?require
    verification( )?-?need
    verify.your?.account
    web ?-?ma[il1]{2}
    web[ -]?ma[il1]{2}
    will.be.suspended
    your (customer )?account .as
    your.office.365
    your.online.access
    any of $suspicious_subjects where:
    
    strings.icontains(subject.subject)
    sender.display_name matches any of 74 patterns
    
    Accounts.?Payable
    Admin
    Administrator
    Alert
    Assistant
    Billing
    Benefits
    Bonus
    CEO
    CFO
    CIO
    CTO
    Chairman
    Claim
    Confirm
    Critical
    Customer Service
    Deal
    Discount
    Director
    Exclusive
    Executive
    Fax
    Free
    Gift
    /bHR/b
    Helpdesk
    Human Resources
    Immediate
    Important
    Info
    Information
    Invoice
    \bIT\b
    Legal
    Lottery
    Management
    Manager
    Member Services
    Notification
    Offer
    Operations
    Order
    Partner
    Payment
    Payroll
    President
    Premium
    Prize
    Receipt
    Refund
    Registrar
    Required
    Reward
    Sales
    Secretary
    Security
    Service
    Signature
    StaffAnnouncement
    Storage
    Support
    Sweepstakes
    System
    Tax
    Tech Support
    Update
    Upgrade
    Urgent
    Validate
    Verify
    VIP
    Webmaster
    Winner
  - all of:
    
    any of:
    
    length(recipients.to) is 0
    all of recipients.to where:
    
    .display_name is 'Undisclosed recipients'
    length(recipients.cc) is 0
    length(recipients.bcc) is 0
  - any of beta.scan_qr(file.message_screenshot()).items where any holds:
    
    all of:
    
    .url.domain.tld in $suspicious_tlds
    .url.domain.root_domain is not 'app.link'
    ml.link_analysis(.url).credphish.disposition is 'phishing'
  - any of attachments where all hold:
    
    any of:
    
    .file_type in $file_types_images
    .file_extension in $file_extensions_macros
    .file_type is 'pdf'
    any of file.explode(.) where all hold:
    
    all of:
    
    .scan.qr.url.domain.tld in $suspicious_tlds
    .scan.qr.url.domain.root_domain is not 'app.link'
    .scan.qr.url.domain.root_domain is not 'qr.link'
    .scan.qr.url.domain.root_domain is not 'skyqr.co.za'
    .scan.qr.url.domain.root_domain not in $org_domains
  - sender.email.domain.tld in $suspicious_tlds
any of:
- profile.by_sender_email().any_messages_malicious_or_spam
- all of:
  - sender.email.domain.domain in $org_domains
  - not:
    
    coalesce(headers.auth_summary.dmarc.pass)
- all of:
  - profile.by_sender_email().prevalence in ('new', 'outlier')
  - not:
    
    profile.by_sender_email().solicited
not:
- profile.by_sender_email().any_messages_benign
not:
- all of:
  - sender.email.domain.root_domain in $high_trust_sender_root_domains
  - coalesce(headers.auth_summary.dmarc.pass)

Inspects: attachments[].file_extension, attachments[].file_type, body.current_thread.text, body.html.raw, headers.auth_summary.dmarc.pass, headers.in_reply_to, headers.references, recipients.bcc, recipients.cc, recipients.to, recipients.to[].display_name, recipients.to[].email.domain.sld, sender.display_name, sender.email.domain.domain, sender.email.domain.root_domain, sender.email.domain.tld, subject.subject, type.inbound. Sensors: beta.parse_exif, beta.scan_qr, file.explode, file.message_screenshot, ml.link_analysis, ml.logo_detect, profile.by_sender_email, regex.contains, regex.icontains, regex.imatch, regex.match, strings.ends_with, strings.icontains, strings.istarts_with, strings.starts_with. Reference lists: $file_extensions_macros, $file_types_images, $high_trust_sender_root_domains, $org_domains, $suspicious_subjects, $suspicious_tlds.

Indicators matched (232)

Field	Match	Value
`attachments[].file_type`	equals	`pdf`
`regex.contains`	regex	`\.`
`strings.starts_with`	prefix	`https://qr.skyqr.co.za/`
`strings.icontains`	substring	`,`
`file.explode(attachments[])[].scan.qr.type`	equals	`undefined`
`strings.starts_with`	prefix	`{`
`strings.ends_with`	suffix	`}`
`file.explode(attachments[])[].scan.exiftool.fields[].key`	equals	`Model`
`file.explode(attachments[])[].scan.exiftool.fields[].key`	equals	`Software`
`strings.starts_with`	prefix	`Android`
`file.explode(attachments[])[].scan.exiftool.fields[].key`	equals	`DeviceManufacturer`
`file.explode(attachments[])[].scan.exiftool.fields[].value`	equals	`Apple Computer Inc.`

220 more

`regex.match`	regex	`WhatsApp Image \d\d\d\d-\d\d-\d\d at.*.jpe?g`
`strings.istarts_with`	prefix	`BEGIN:VCARD`
`file.explode(attachments[])[].scan.qr.url.domain.root_domain`	member	`sat.gob.mx`
`strings.icontains`	substring	`sat.gob.mx`
`regex.icontains`	regex	`(?:scan\|camera\|review and sign)`
`regex.icontains`	regex	`(?:\bQR\b\|Q\.R\.\|barcode)`
`regex.contains`	regex	`\"padding:0px 0px \d{3,4}px 0px`
`body.current_thread.text`	equals
`strings.istarts_with`	prefix	`RE:`
`strings.istarts_with`	prefix	`RES:`
`strings.istarts_with`	prefix	`R:`
`strings.istarts_with`	prefix	`ODG:`
`strings.istarts_with`	prefix	`答复:`
`strings.istarts_with`	prefix	`AW:`
`strings.istarts_with`	prefix	`TR:`
`strings.istarts_with`	prefix	`FWD:`
`regex.imatch`	regex	`(\[[^\]]+\]\s?){0,3}(re\|fwd?\|automat.)\s?:.`
`regex.contains`	regex	`(Authenticat(e\|or\|ion)\|2fa\|Multi.Factor\|(qr\|bar).code\|action.require\|alert\|Att(n\|ention):)`
`regex.icontains`	regex	`termination.*notice`
`regex.icontains`	regex	`38417`
`regex.icontains`	regex	`:completed`
`regex.icontains`	regex	`[il1]{2}mit.*ma[il1]{2} ?bo?x`
`regex.icontains`	regex	`[il][il][il]egai[ -]`
`regex.icontains`	regex	`[li][li][li]ega[li] attempt`
`regex.icontains`	regex	`[ng]-?[io]n .*block`
`regex.icontains`	regex	`[ng]-?[io]n .*cancel`
`regex.icontains`	regex	`[ng]-?[io]n .*deactiv`
`regex.icontains`	regex	`[ng]-?[io]n .*disabl`
`regex.icontains`	regex	`action.*required`
`regex.icontains`	regex	`abandon.*package`
`regex.icontains`	regex	`about.your.account`
`regex.icontains`	regex	`acc(ou)?n?t (is )?on ho[li]d`
`regex.icontains`	regex	`acc(ou)?n?t.*terminat`
`regex.icontains`	regex	`acc(oun)?t.*[il1]{2}mitation`
`regex.icontains`	regex	`access.*limitation`
`regex.icontains`	regex	`account (will be )?block`
`regex.icontains`	regex	`account.*de-?activat`
`regex.icontains`	regex	`account.*locked`
`regex.icontains`	regex	`account.*re-verification`
`regex.icontains`	regex	`account.*security`
`regex.icontains`	regex	`account.*suspension`
`regex.icontains`	regex	`account.has.been`
`regex.icontains`	regex	`account.has.expired`
`regex.icontains`	regex	`account.will.be.blocked`
`regex.icontains`	regex	`account v[il]o[li]at`
`regex.icontains`	regex	`activity.*acc(oun)?t`
`regex.icontains`	regex	`all.?staff`
`regex.icontains`	regex	`almost.full`
`regex.icontains`	regex	`app[li]e.[il]d`
`regex.icontains`	regex	`authenticate.*account`
`regex.icontains`	regex	`been.*suspend`
`regex.icontains`	regex	`bonus`
`regex.icontains`	regex	`clos.of.account.*processed`
`regex.icontains`	regex	`confirm.your.account`
`regex.icontains`	regex	`courier.*able`
`regex.icontains`	regex	`crediential.*notif`
`regex.icontains`	regex	`deactivation.in.progress`
`regex.icontains`	regex	`delivery.attempt.failed`
`regex.icontains`	regex	`document.received`
`regex.icontains`	regex	`documented.shared.with.*you`
`regex.icontains`	regex	`dropbox.*document`
`regex.icontains`	regex	`e-?ma[il1]+ .{010}suspen`
`regex.icontains`	regex	`e-?ma[il1]{1} user`
`regex.icontains`	regex	`e-?ma[il1]{2} acc`
`regex.icontains`	regex	`e-?ma[il1]{2}.*up.?grade`
`regex.icontains`	regex	`e.?ma[il1]{2}.*server`
`regex.icontains`	regex	`e.?ma[il1]{2}.*suspend`
`regex.icontains`	regex	`email.update`
`regex.icontains`	regex	`faxed you`
`regex.icontains`	regex	`fraud(ulent)?.*charge`
`regex.icontains`	regex	`from.helpdesk`
`regex.icontains`	regex	`fu[il1]{2}.*ma[il1]+[ -]?box`
`regex.icontains`	regex	`has.been.*suspended`
`regex.icontains`	regex	`has.been.limited`
`regex.icontains`	regex	`have.locked`
`regex.icontains`	regex	`he[li]p ?desk upgrade`
`regex.icontains`	regex	`heipdesk`
`regex.icontains`	regex	`i[il]iega[il]`
`regex.icontains`	regex	`ii[il]ega[il]`
`regex.icontains`	regex	`incoming e?mail`
`regex.icontains`	regex	`incoming.*fax`
`regex.icontains`	regex	`lock.*security`
`regex.icontains`	regex	`ma[il1]{1}[ -]?box.*quo`
`regex.icontains`	regex	`ma[il1]{2}[ -]?box.*fu[il1]`
`regex.icontains`	regex	`ma[il1]{2}box.*[il1]{2}mit`
`regex.icontains`	regex	`ma[il1]{2}box stor`
`regex.icontains`	regex	`mail on.?hold`
`regex.icontains`	regex	`mail.box.migration`
`regex.icontains`	regex	`mail.*de-?activat`
`regex.icontains`	regex	`mail.update.required`
`regex.icontains`	regex	`mails.*pending`
`regex.icontains`	regex	`messages.*pending`
`regex.icontains`	regex	`missed.shipping.notification`
`regex.icontains`	regex	`missed.shipment.notification`
`regex.icontains`	regex	`must.update.your.account`
`regex.icontains`	regex	`new [sl][io]g?[nig][ -]?in from`
`regex.icontains`	regex	`new voice ?-?mail`
`regex.icontains`	regex	`notifications.*pending`
`regex.icontains`	regex	`office.3.6.5.suspend`
`regex.icontains`	regex	`office365`
`regex.icontains`	regex	`on google docs with you`
`regex.icontains`	regex	`online doc`
`regex.icontains`	regex	`password.*compromised`
`regex.icontains`	regex	`payment advice`
`regex.icontains`	regex	`periodic maintenance`
`regex.icontains`	regex	`potential(ly)? unauthorized`
`regex.icontains`	regex	`refund not approved`
`regex.icontains`	regex	`report`
`regex.icontains`	regex	`revised.*policy`
`regex.icontains`	regex	`scam`
`regex.icontains`	regex	`scanned.?invoice`
`regex.icontains`	regex	`secured?.update`
`regex.icontains`	regex	`security breach`
`regex.icontains`	regex	`securlty`
`regex.icontains`	regex	`seguranca`
`regex.icontains`	regex	`signed.*delivery`
`regex.icontains`	regex	`status of your .{314}? ?delivery`
`regex.icontains`	regex	`susp[il1]+c[il1]+ous.*act[il1]+v[il1]+ty`
`regex.icontains`	regex	`suspicious.sign.[io]n`
`regex.icontains`	regex	`suspicious.activit`
`regex.icontains`	regex	`temporar(il)?y deactivate`
`regex.icontains`	regex	`temporar[il1]{2}y disab[li]ed`
`regex.icontains`	regex	`temporarily.*lock`
`regex.icontains`	regex	`un-?usua[li].activity`
`regex.icontains`	regex	`unable.*deliver`
`regex.icontains`	regex	`unauthorized.*activit`
`regex.icontains`	regex	`unauthorized.device`
`regex.icontains`	regex	`undelivered message`
`regex.icontains`	regex	`unread.*doc`
`regex.icontains`	regex	`unusual.activity`
`regex.icontains`	regex	`upgrade.*account`
`regex.icontains`	regex	`upgrade.notice`
`regex.icontains`	regex	`urgent message`
`regex.icontains`	regex	`urgent.verification`
`regex.icontains`	regex	`v[il1]o[li1]at[il1]on security`
`regex.icontains`	regex	`va[il1]{1}date.*ma[il1]{2}[ -]?box`
`regex.icontains`	regex	`verification ?-?require`
`regex.icontains`	regex	`verification( )?-?need`
`regex.icontains`	regex	`verify.your?.account`
`regex.icontains`	regex	`web ?-?ma[il1]{2}`
`regex.icontains`	regex	`web[ -]?ma[il1]{2}`
`regex.icontains`	regex	`will.be.suspended`
`regex.icontains`	regex	`your (customer )?account .as`
`regex.icontains`	regex	`your.office.365`
`regex.icontains`	regex	`your.online.access`
`regex.icontains`	regex	`Accounts.?Payable`
`regex.icontains`	regex	`Admin`
`regex.icontains`	regex	`Administrator`
`regex.icontains`	regex	`Alert`
`regex.icontains`	regex	`Assistant`
`regex.icontains`	regex	`Billing`
`regex.icontains`	regex	`Benefits`
`regex.icontains`	regex	`Bonus`
`regex.icontains`	regex	`CEO`
`regex.icontains`	regex	`CFO`
`regex.icontains`	regex	`CIO`
`regex.icontains`	regex	`CTO`
`regex.icontains`	regex	`Chairman`
`regex.icontains`	regex	`Claim`
`regex.icontains`	regex	`Confirm`
`regex.icontains`	regex	`Critical`
`regex.icontains`	regex	`Customer Service`
`regex.icontains`	regex	`Deal`
`regex.icontains`	regex	`Discount`
`regex.icontains`	regex	`Director`
`regex.icontains`	regex	`Exclusive`
`regex.icontains`	regex	`Executive`
`regex.icontains`	regex	`Fax`
`regex.icontains`	regex	`Free`
`regex.icontains`	regex	`Gift`
`regex.icontains`	regex	`/bHR/b`
`regex.icontains`	regex	`Helpdesk`
`regex.icontains`	regex	`Human Resources`
`regex.icontains`	regex	`Immediate`
`regex.icontains`	regex	`Important`
`regex.icontains`	regex	`Info`
`regex.icontains`	regex	`Information`
`regex.icontains`	regex	`Invoice`
`regex.icontains`	regex	`\bIT\b`
`regex.icontains`	regex	`Legal`
`regex.icontains`	regex	`Lottery`
`regex.icontains`	regex	`Management`
`regex.icontains`	regex	`Manager`
`regex.icontains`	regex	`Member Services`
`regex.icontains`	regex	`Notification`
`regex.icontains`	regex	`Offer`
`regex.icontains`	regex	`Operations`
`regex.icontains`	regex	`Order`
`regex.icontains`	regex	`Partner`
`regex.icontains`	regex	`Payment`
`regex.icontains`	regex	`Payroll`
`regex.icontains`	regex	`President`
`regex.icontains`	regex	`Premium`
`regex.icontains`	regex	`Prize`
`regex.icontains`	regex	`Receipt`
`regex.icontains`	regex	`Refund`
`regex.icontains`	regex	`Registrar`
`regex.icontains`	regex	`Required`
`regex.icontains`	regex	`Reward`
`regex.icontains`	regex	`Sales`
`regex.icontains`	regex	`Secretary`
`regex.icontains`	regex	`Security`
`regex.icontains`	regex	`Service`
`regex.icontains`	regex	`Signature`
`regex.icontains`	regex	`StaffAnnouncement`
`regex.icontains`	regex	`Storage`
`regex.icontains`	regex	`Support`
`regex.icontains`	regex	`Sweepstakes`
`regex.icontains`	regex	`System`
`regex.icontains`	regex	`Tax`
`regex.icontains`	regex	`Tech Support`
`regex.icontains`	regex	`Update`
`regex.icontains`	regex	`Upgrade`
`regex.icontains`	regex	`Urgent`
`regex.icontains`	regex	`Validate`
`regex.icontains`	regex	`Verify`
`regex.icontains`	regex	`VIP`
`regex.icontains`	regex	`Webmaster`
`regex.icontains`	regex	`Winner`
`recipients.to[].display_name`	equals	`Undisclosed recipients`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)