T1566.001 QR CodePhishingAttachment(Quishing)

T1566.001 - QR Code Phishing Attachment (Quishing)

DESCRIPTION

Detects for email that’s delivered to inbox, potentially containing any QR code phishing images and/or attachment(s).

Author: DGov WA - Threat Hunt

Related

phishing - Quishing

Reference:

• Five common QR code scams – Microsoft 365

• Think Before You Scan: The Rise of QR Codes in Phishing

ATT&CK TACTICS

T1566.001 - Phishing: Spearphishing Attachment

Data Source(s): Application Log, Email

SENTINEL RULE QUERY

let selection_filetype=dynamic(["png","gif","jpeg","jpg"]);
let selection_subject=dynamic(["2FA","Action","payroll","MFA"]); //add other potential subjects
let filter_domain=dynamic(["microsoft.com","sharepointonline.com"]); //add agency specific filter
let lookback = 3d;
EmailEvents
| where TimeGenerated > ago(lookback)
| summarize arg_min(TimeGenerated,*) by NetworkMessageId, RecipientEmailAddress, TenantId
| where EmailDirection == 'Inbound'
| where DeliveryAction == 'Delivered'
| where SenderMailFromDomain !contains "wa.gov.au"
| extend username_ = tostring(split(RecipientEmailAddress, "@")[0])
| extend domain_ = tostring(split(RecipientEmailAddress, "@")[1])
| extend domain_name_ = tostring(split(domain_, ".")[0])
| where Subject contains username_ or Subject contains domain_ or Subject contains domain_name_ or Subject has_any (selection_subject)
| where not(SenderMailFromDomain has_any (filter_domain))
| join 
(
EmailAttachmentInfo
| where TimeGenerated > ago(lookback)
| where FileType has_any (selection_filetype)
| where FileName matches regex "^[A-Za-z0-9]{7,10}\\.[A-Za-z0-9]+$" //tweak here to change potential qr code filename convention changes
| where FileName !startswith "image" and FileName !startswith "ATT00" //ignore lists for known attachment false positive
) on NetworkMessageId

Triage

1. Verify the email sender and subjects fields, whether it’s known and/or expected

2. Confirm the QR code is on the email as an attachment and/or email body, and confirm redirection to potential phishing website

FalsePositive

1. Legitimate internal application sending out attachments

VERSION

Version 1.0 (date: 22/09/2023)