Update attachment_qr_code_suspicious_components.yml

[vector-sec]

Description

In situations where an email contains an attachment with a QR code, but the recipients.to is only "undisclosed-recipients" the sections like

any(recipients.to,
    strings.icontains(..scan.qr.url.url, .email.email)
)

always evaluate to true. I tried setting the filter for where email isn't null, but that seemed to not work either, so I went with where length of email.email > 0.

After this change, the false positive that I have with "undisclosed-recipients" and a benign URL bearing QR code in an attachment is no longer flagged by this message.

Associated samples

The Sublime team may find a sample I shared in the platform with the comment PR - Attachment: QR code with credential phishing indicators

Associated hunts

• Hunt 1

Screenshot (insights)

[zoomequipd]

hey @vector-sec! Thanks for getting this submitted, I made a quick commit to handle this via .domain.valid but still has the same effect!

There are some new FNs that are introduced in our test suite as a result of the change, so I'll have to dig through those before we can get this merged, will try to make time for this before I head out to Blackhat!