T1566.001 QR CodePhishingAttachment(Quishing)

T1566.001 - QR Code Phishing Attachment (Quishing)

DESCRIPTION

Detects for email that’s delivered to inbox, potentially containing any QR code phishing images and/or attachment(s).

Author: DGov WA - Threat Hunt

Related

phishing - Quishing

Reference:

• Five common QR code scams – Microsoft 365

• Think Before You Scan: The Rise of QR Codes in Phishing

ATT&CK TACTICS

T1566.001 - Phishing: Spearphishing Attachment

Data Source(s): Application Log, Email

SENTINEL RULE QUERY

let selection_filetype=dynamic(["png","gif","jpeg","jpg"]); let selection_subject=dynamic(["2FA","Action","payroll","MFA"]); //add other potential subjects let filter_domain=dynamic(["microsoft.com","sharepointonline.com"]); //add agency specific filter let lookback = 3d; EmailEvents | where TimeGenerated > ago(lookback) | summarize arg_min(TimeGenerated,*) by NetworkMessageId, RecipientEmailAddress, TenantId | where EmailDirection == 'Inbound' | where DeliveryAction == 'Delivered' | where SenderMailFromDomain !contains "wa.gov.au" | extend username_ = tostring(split(RecipientEmailAddress, "@")[0]) | extend domain_ = tostring(split(RecipientEmailAddress, "@")[1]) | extend domain_name_ = tostring(split(domain_, ".")[0]) | where Subject contains username_ or Subject contains domain_ or Subject contains domain_name_ or Subject has_any (selection_subject) | where not(SenderMailFromDomain has_any (filter_domain)) | join ( EmailAttachmentInfo | where TimeGenerated > ago(lookback) | where FileType has_any (selection_filetype) | where FileName matches regex "^[A-Za-z0-9]{7,10}\\.[A-Za-z0-9]+$" //tweak here to change potential qr code filename convention changes | where FileName !startswith "image" and FileName !startswith "ATT00" //ignore lists for known attachment false positive ) on NetworkMessageId

Triage

1. Verify the email sender and subjects fields, whether it’s known and/or expected

2. Confirm the QR code is on the email as an attachment and/or email body, and confirm redirection to potential phishing website

FalsePositive

1. Legitimate internal application sending out attachments

VERSION

Version 1.0 (date: 22/09/2023)