Detects for email that’s delivered to inbox, potentially containing any QR code phishing images and/or attachment(s).
Author: DGov WA - Threat Hunt
Related
phishing - Quishing
Reference:
{{ mitre("T1566.001")}}
Data Source(s): Application Log, Email
let selection_filetype=dynamic(["png","gif","jpeg","jpg"]);
let selection_subject=dynamic(["2FA","Action","payroll","MFA"]); //add other potential subjects
let filter_domain=dynamic(["microsoft.com","sharepointonline.com"]); //add agency specific filter
let lookback = 3d;
EmailEvents
| where TimeGenerated > ago(lookback)
| summarize arg_min(TimeGenerated,*) by NetworkMessageId, RecipientEmailAddress, TenantId
| where EmailDirection == 'Inbound'
| where DeliveryAction == 'Delivered'
| where SenderMailFromDomain !contains "wa.gov.au"
| extend username_ = tostring(split(RecipientEmailAddress, "@")[0])
| extend domain_ = tostring(split(RecipientEmailAddress, "@")[1])
| extend domain_name_ = tostring(split(domain_, ".")[0])
| where Subject contains username_ or Subject contains domain_ or Subject contains domain_name_ or Subject has_any (selection_subject)
| where not(SenderMailFromDomain has_any (filter_domain))
| join
(
EmailAttachmentInfo
| where TimeGenerated > ago(lookback)
| where FileType has_any (selection_filetype)
| where FileName matches regex "^[A-Za-z0-9]{7,10}\\.[A-Za-z0-9]+$" //tweak here to change potential qr code filename convention changes
| where FileName !startswith "image" and FileName !startswith "ATT00" //ignore lists for known attachment false positive
) on NetworkMessageId
-
Verify the email sender and subjects fields, whether it’s known and/or expected
-
Confirm the QR code is on the email as an attachment and/or email body, and confirm redirection to potential phishing website
- Legitimate internal application sending out attachments
Version 1.0 (date: 22/09/2023)