From cbe258dc1735f283c3ec65f8a4dcf46d18dd50c1 Mon Sep 17 00:00:00 2001 From: Sam Scholten Date: Wed, 6 Dec 2023 10:18:39 -0500 Subject: [PATCH] New Rule: QR code with phishing disposition in img or pdf (#1082) Co-authored-by: Josh Kamdjou --- ...n_img_or_pdf_with_phishing_disposition.yml | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 link_qr_code_in_img_or_pdf_with_phishing_disposition.yml diff --git a/link_qr_code_in_img_or_pdf_with_phishing_disposition.yml b/link_qr_code_in_img_or_pdf_with_phishing_disposition.yml new file mode 100644 index 00000000000..a8e31922d12 --- /dev/null +++ b/link_qr_code_in_img_or_pdf_with_phishing_disposition.yml @@ -0,0 +1,51 @@ +name: "Link: QR code with phishing disposition in img or pdf" +description: "This rule analyzes image attachments for QR Codes in which LinkAnalysis concludes is phishing. The rule ensures that the URLs do not link to any organizational domains." +type: "rule" +severity: "high" +source: | + type.inbound + and length(attachments) < 10 + and any(attachments, + (.file_type in $file_types_images or .file_type == "pdf") + and any(file.explode(.), + .scan.qr.type == "url" + + // linkanalysis phishing disposition + and any([beta.linkanalysis(.scan.qr.url)], + .credphish.disposition == "phishing" + ) + and .scan.qr.url.domain.root_domain not in $org_domains + ) + ) + and ( + not profile.by_sender().solicited + or ( + profile.by_sender().any_messages_malicious_or_spam + and not profile.by_sender().any_false_positives + ) + ) + + // negate highly trusted sender domains unless they fail DMARC authentication + and ( + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and ( + any(distinct(headers.hops, .authentication_results.dmarc is not null), + strings.ilike(.authentication_results.dmarc, "*fail") + ) + ) + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains + ) + and not profile.by_sender().any_false_positives +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "QR code" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Computer Vision" + - "QR code analysis" + - "Sender analysis" + - "URL analysis"