Attachment: Microsoft OAuth credential harvesting via EML with embedded malicious links
Detects inbound messages containing EML attachments with embedded links targeting Microsoft OAuth authentication flows. The rule identifies suspicious Microsoft login URLs with specific query parameters indicating credential harvesting attempts, including offline access permissions, read/write scopes, and reprocessing endpoints. Links are detected within EML body content, embedded PDF/HTML attachments, and ICS calendar files.
Sublime rule (View on GitHub)
1name: "Attachment: Microsoft OAuth credential harvesting via EML with embedded malicious links"
2description: "Detects inbound messages containing EML attachments with embedded links targeting Microsoft OAuth authentication flows. The rule identifies suspicious Microsoft login URLs with specific query parameters indicating credential harvesting attempts, including offline access permissions, read/write scopes, and reprocessing endpoints. Links are detected within EML body content, embedded PDF/HTML attachments, and ICS calendar files."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and any(attachments,
8 (.content_type == "message/rfc822" or .file_extension in ("eml"))
9 and (
10 // links in attached EML body
11 any(file.parse_eml(.).body.links,
12 .href_url.domain.domain == 'login.microsoftonline.com'
13 and (
14 strings.ilike(.href_url.query_params,
15 '*offline_access*',
16 '*.readwrite*',
17 '*.read*',
18 '*ctx=*',
19 '*prompt=none*'
20 )
21 or (
22 strings.icontains(.href_url.path, '/common/reprocess')
23 and strings.icontains(.href_url.query_params, 'ctx=')
24 and strings.icontains(.href_url.query_params, 'sessionId=')
25 )
26 )
27 )
28 // links in PDF and HTML attachments inside the EML
29 or any(filter(file.parse_eml(.).attachments,
30 .file_type in ("pdf", "html")
31 ),
32 any(file.explode(.),
33 any(.scan.url.urls,
34 .domain.domain == 'login.microsoftonline.com'
35 and (
36 strings.ilike(.query_params,
37 '*offline_access*',
38 '*.readwrite*',
39 '*.read*',
40 '*ctx=*',
41 '*prompt=none*'
42 )
43 or (
44 strings.icontains(.path, '/common/reprocess')
45 and strings.icontains(.query_params, 'ctx=')
46 and strings.icontains(.query_params, 'sessionId=')
47 )
48 )
49 )
50 )
51 )
52 // links in ICS attachments inside the EML
53 or any(filter(file.parse_eml(.).attachments,
54 .file_type == "ics"
55 or .file_extension == "ics"
56 or .content_type in ("application/ics", "text/calendar")
57 ),
58 //
59 // This rule makes use of a beta feature and is subject to change without notice
60 // using the beta feature in custom rules is not suggested until it has been formally released
61 //
62 any(beta.file.parse_ics(.).events,
63 any(.links,
64 .href_url.domain.domain == 'login.microsoftonline.com'
65 and (
66 strings.ilike(.href_url.query_params,
67 '*offline_access*',
68 '*.readwrite*',
69 '*.read*',
70 '*ctx=*',
71 '*prompt=none*'
72 )
73 or (
74 strings.icontains(.href_url.path,
75 '/common/reprocess'
76 )
77 and strings.icontains(.href_url.query_params,
78 'ctx='
79 )
80 and strings.icontains(.href_url.query_params,
81 'sessionId='
82 )
83 )
84 )
85 )
86 )
87 )
88 )
89 )
90attack_types:
91 - "Credential Phishing"
92tactics_and_techniques:
93 - "Impersonation: Brand"
94 - "Evasion"
95 - "PDF"
96detection_methods:
97 - "File analysis"
98 - "URL analysis"
99 - "Content analysis"
100id: "6788a4c8-699b-53af-8f2d-5dafcff63843"