Scenarios Examples

Quishing (QR Code Phishing) attacks have been growing in the last two years, as threat actors continuously adapt their techniques. Unlike traditional phishing emails that contain suspicious links, quishing attacks embed QR codes in email attachments, such as PDFs or Office documents, tricking users into scanning them with their mobile devices. Since QR codes are image-based and cannot be inspected without special processing, they often bypass traditional URL filters and email security measures.

To make these attacks more effective, cybercriminals often use freshly registered domains or popular URL shorteners to mask their phishing links. Some campaigns also utilize of public file-sharing services (such as Google Drive or Dropbox) to distribute malware or credential-harvesting pages. This makes Quishing a highly deceptive and effective social engineering attack.

By the end of 2024, threat actors began employing a new technique to deliver phishing attacks using handcrafted Office files. The legitimate document content is preceded by specifically crafted data, which disrupts format detection mechanisms. Surprisingly, Microsoft Office, when opening such a file based on its extension, offers to recover the data. It scans for a valid header and opens the Office content embedded within the manipulated file.

According to our research, existing protections offered by major vendors are ineffective, and it remains relatively easy to create files that evade detection. Here, we demonstrate how to create a scenario in Contextal Platform to block all attacks of this type!

According to recent research, newly registered domain names used in phishing attacks remain one of the biggest threats to internet users. The study found that domain names used in phishing attacks have an average lifetime of 21 days, with the majority being used within 4 days of registration.

We will create a scenario that detects and blocks Office, ODF, and PDF documents containing links to domain names registered less than 30 days ago.

In this example, we demonstrate how to detect and block obfuscated JavaScript within Email objects (and their child objects). This technique can also be adapted to any other data type that might contain JavaScript.

The Text backend makes use of machine learning to identify common scripting languages, such as JavaScript. By combining this detection with a common characteristic of malicious scripts—obfuscation into one-liners—we can build an effective filter. Here's how:

The Windows shortcut (LNK) files are frequently used for malicious purposes by threat actors. In this article we are going to cover an example scenario, which takes a couple of characteristics into account to block potentially malicious shortcut files.

Contextal Platform's image processor includes capability to detect NSFW graphical content. We will create a scenario triggering an alert action when such images are detected in the data flow.

A Client-Side Path Traversal (CSPT) attack, also known as "On-Site Request Forgery" is a vulnerability, which can be used for CSRF or XSS attacks.

A Carriage Return Line Feed (CRLF) Injection is a type of web security vulnerability where an attacker manipulates how web applications interpret input containing carriage return (\r) and line feed (\n) characters.

The malicious directory traversal has been exploited for years by threat actors, taking different forms, such as Zip Slip.

Excel 4.0 macros (also known as XLM macros) are frequently used for malicious purposes, and while Microsoft now by default limits their usage, they could still pose a threat in some environments.