[PR #3461] added rule: Compensation review with QR code in attached EML

github-actions[bot] · github-actions[bot] · commit 222196118809 · 2025-11-03T15:46:14.000Z
diff --git a/detection-rules/3461_comp_review_qr_attached_eml.yml b/detection-rules/3461_comp_review_qr_attached_eml.yml
@@ -0,0 +1,93 @@
+name: "Compensation review with QR code in attached EML"
+description: "Detects inbound messages containing compensation-related terms (salary, bonus, merit, etc.) combined with review/change language that include EML attachments containing QR codes or barcodes in scanned documents."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  
+  // the subject contains pay related items
+  and (
+    strings.icontains(subject.subject, 'salary')
+    or regex.icontains(subject.subject, 'comp(?:liance|ensation|\b)')
+    or strings.icontains(subject.subject, 'remuneration')
+    or regex.icontains(subject.subject, '\bpay(?:roll|\b)')
+    or strings.icontains(subject.subject, 'bonus')
+    or strings.icontains(subject.subject, 'incentive')
+    or strings.icontains(subject.subject, 'merit')
+    or strings.icontains(subject.subject, 'handbook')
+    or strings.icontains(subject.subject, 'benefits')
+  )
+  // subjects include review/updates/changes
+  and (
+    strings.icontains(subject.subject, 'review')
+    or strings.icontains(subject.subject, 'evaluation')
+    or regex.icontains(subject.subject, 'eval\b')
+    or strings.icontains(subject.subject, 'assessment')
+    or strings.icontains(subject.subject, 'appraisal')
+    or strings.icontains(subject.subject, 'feedback')
+    or strings.icontains(subject.subject, 'performance')
+    or strings.icontains(subject.subject, 'adjustment')
+    or strings.icontains(subject.subject, 'statement')
+    or strings.icontains(subject.subject, 'increase')
+    or strings.icontains(subject.subject, 'raise')
+    or strings.icontains(subject.subject, 'change')
+    or strings.icontains(subject.subject, 'modification')
+    or strings.icontains(subject.subject, 'distribution')
+    or strings.icontains(subject.subject, 'Disbursement')
+    or regex.icontains(subject.subject, 'revis(?:ed|ion)')
+    or regex.icontains(subject.subject, 'amend(?:ed|ment)')
+    or strings.icontains(subject.subject, 'update')
+  )
+  and any(filter(attachments,
+                 .content_type == "message/rfc822" or .file_extension in ('eml')
+          ),
+          // inspect attachments in nested EML
+          any(file.parse_eml(.).attachments,
+              any(file.explode(.),
+                  (
+                    regex.icontains(.scan.ocr.raw, 'scan|camera')
+                    and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
+                  )
+                  or .scan.qr.type == "url" and .scan.qr.url.domain.valid
+              )
+          )
+          // inspect nested EML in body.current_thread
+          or (
+            regex.icontains(file.parse_eml(.).body.current_thread.text,
+                            'scan|camera'
+            )
+            and regex.icontains(file.parse_eml(.).body.current_thread.text,
+                                '\bQR\b|Q\.R\.|barcode'
+            )
+          )
+          // or there is a QR code found within the body of the nested body
+          or (
+            beta.scan_qr(file.html_screenshot(file.parse_eml(.).body.html)).found
+            and any(beta.scan_qr(file.html_screenshot(file.parse_eml(.).body.html)
+                    ).items,
+                    .type == "url" and .url.domain.valid
+            )
+          )
+  )
+  
+  // negate instances where proofpoint sends a review of a reported message via analyzer 
+  and not (
+    sender.email.email == "analyzer@analyzer.securityeducation.com"
+    and any(headers.domains, .root_domain == "pphosted.com")
+    and headers.auth_summary.spf.pass
+    and headers.auth_summary.dmarc.pass
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "QR code"
+  - "Social engineering"
+detection_methods:
+  - "Computer Vision"
+  - "Content analysis"
+  - "Optical Character Recognition"
+  - "QR code analysis"
+id: "c23a7095-da4a-5881-adbc-623656779c16"
+og_id: "98a2f03c-4bec-556d-af84-709d41819877"
+testing_pr: 3461
+testing_sha: 677545e432d1e44c9ecee06ca27505db1b096d73
