Brand impersonation: Microsoft (QR code)
Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Microsoft (QR code)"
2description: |
3 Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and (
9 any(attachments,
10 (
11 .file_type in $file_types_images
12 or .file_type == "pdf"
13 or .file_type in~ $file_extensions_macros
14 )
15 and (
16 any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
17 or any(file.explode(.),
18 // for Office documents
19 .flavors.mime == "text/xml"
20 and any(.scan.strings.strings,
21 regex.icontains(.,
22 'Microsoft\s*(?:\w+(?:\s*\w+)?|[[:punct:]]+|\s+){0,3}\s*(?:Authenticat(?:e|or|ion)|2fa|Multi.Factor|(?:qr|bar).code|action.require|alert|Att(?:n|ention))'
23 )
24 )
25 )
26 )
27 )
28 or any(ml.logo_detect(file.message_screenshot()).brands,
29 strings.starts_with(.name, "Microsoft")
30 )
31 or (
32 // limited body length
33 length(body.current_thread.text) < 300
34 and any(filter(attachments,
35 .file_type in $file_types_images
36 // image attachments that are displayed in the body
37 // when the content-id is corrected, this will be much more simple
38 and (
39 any(regex.extract(.content_id, '^<(?P<cid>[^\>]+)\>$'),
40 strings.icontains(body.html.raw, .named_groups["cid"])
41 )
42 or strings.icontains(body.html.raw, .content_id)
43 )
44 ),
45 // those images contain the wording
46 any(file.explode(.),
47 regex.icontains(.scan.ocr.raw,
48 'Microsoft\s*(?:\w+(?:\s*\w+)?|[[:punct:]]+|\s+){0,3}\s*(?:Authenticat(?:e|or|ion)|2fa|Multi.Factor|(?:qr|bar).code|action.require|alert|Att(?:n|ention))'
49 )
50 )
51 )
52 )
53 )
54 and any(attachments,
55 (
56 .file_type in $file_types_images
57 or .file_type == "pdf"
58 or .file_type in $file_extensions_macros
59 )
60 and (
61 any(file.explode(.),
62 regex.icontains(.scan.ocr.raw, 'scan|camera')
63 and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
64 )
65 or (
66 any(file.explode(.),
67 .scan.qr.type == "url"
68 // recipient email address is present in the URL, a common tactic used in credential phishing attacks
69 and any(recipients.to,
70 (
71 (strings.icontains(..scan.qr.data, .email.email))
72
73 // the recipients sld is in the senders display name
74 or any(recipients.to,
75 strings.icontains(sender.display_name,
76 .email.domain.sld
77 )
78 )
79
80 // the recipient local is in the body
81 or any(recipients.to,
82 strings.icontains(body.current_thread.text,
83 .email.local_part
84 )
85 )
86
87 // or the body is null
88 or body.current_thread.text is null
89 or body.current_thread.text == ""
90
91 // or the subject contains authentication/urgency verbiage
92 or regex.contains(subject.subject,
93 "(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)"
94 )
95 )
96 and (
97 .email.domain.valid
98 or strings.icontains(.display_name, "undisclosed")
99 )
100 )
101 )
102 )
103 )
104 )
105 and (
106 not any(headers.hops,
107 .authentication_results.compauth.verdict is not null
108 and .authentication_results.compauth.verdict == "pass"
109 and sender.email.domain.domain == "microsoft.com"
110 )
111 )
112 and (
113 not profile.by_sender().solicited
114 or (
115 profile.by_sender().any_messages_malicious_or_spam
116 and not profile.by_sender().any_messages_benign
117 )
118 )
119 and not profile.by_sender().any_messages_benign
120attack_types:
121 - "Credential Phishing"
122tactics_and_techniques:
123 - "Impersonation: Brand"
124 - "PDF"
125 - "QR code"
126 - "Social engineering"
127detection_methods:
128 - "Computer Vision"
129 - "Header analysis"
130 - "QR code analysis"
131 - "Sender analysis"
132id: "ed0f772a-6543-5947-80d1-55a11ea63074"