Update attachment_qr_with_recipient_targeting_and_special_characters.yml (#3981)

hadojae · web-flow · commit 2044a5980cad · 2026-02-09T20:23:23.000Z
diff --git a/detection-rules/attachment_qr_with_recipient_targeting_and_special_characters.yml b/detection-rules/attachment_qr_with_recipient_targeting_and_special_characters.yml
@@ -9,7 +9,11 @@ source: |
   and any(attachments,
           (
             // Office documents
-            .file_extension in $file_extensions_macros
+            (
+              .file_extension in $file_extensions_macros
+              // Email Attachments
+              or .file_extension == "eml"
+            )
             and any(file.explode(.),
                     .scan.qr.type == "url"
                     // QR code URL contains recipient's email (targeting indicator)
@@ -123,6 +127,7 @@ source: |
             )
           )
   )
+
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques:

Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,11 @@ source: \|`
`9`	`9`	`and any(attachments,`
`10`	`10`	`(`
`11`	`11`	`// Office documents`
`12`		`- .file_extension in $file_extensions_macros`
	`12`	`+ (`
	`13`	`+ .file_extension in $file_extensions_macros`
	`14`	`+ // Email Attachments`
	`15`	`+ or .file_extension == "eml"`
	`16`	`+ )`
`13`	`17`	`and any(file.explode(.),`
`14`	`18`	`.scan.qr.type == "url"`
`15`	`19`	`// QR code URL contains recipient's email (targeting indicator)`
`@@ -123,6 +127,7 @@ source: \|`
`123`	`127`	`)`
`124`	`128`	`)`
`125`	`129`	`)`
	`130`	`+`
`126`	`131`	`attack_types:`
`127`	`132`	`- "Credential Phishing"`
`128`	`133`	`tactics_and_techniques:`