Brand impersonation: Microsoft (QR code)
Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Microsoft (QR code)"
2description: |
3 Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and (
9 any(attachments,
10 (
11 .file_type in $file_types_images
12 or .file_type == "pdf"
13 or .file_type in~ $file_extensions_macros
14 )
15 and (
16 any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
17 or any(file.explode(.),
18 // for Office documents
19 .flavors.mime == "text/xml"
20 and any(.scan.strings.strings,
21 regex.icontains(.,
22 'Microsoft (Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)'
23 )
24 )
25 )
26 )
27 )
28 or any(ml.logo_detect(beta.message_screenshot()).brands,
29 strings.starts_with(.name, "Microsoft")
30 )
31 )
32 and any(attachments,
33 (
34 .file_type in $file_types_images
35 or .file_type == "pdf"
36 or .file_type in $file_extensions_macros
37 )
38 and (
39 any(file.explode(.),
40 regex.icontains(.scan.ocr.raw, 'scan|camera')
41 and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
42 )
43 or (
44 any(file.explode(.),
45 .scan.qr.type == "url"
46 // recipient email address is present in the URL, a common tactic used in credential phishing attacks
47 and any(recipients.to,
48 (
49 (strings.icontains(..scan.qr.data, .email.email))
50
51 // the recipients sld is in the senders display name
52 or any(recipients.to,
53 strings.icontains(sender.display_name,
54 .email.domain.sld
55 )
56 )
57
58 // the recipient local is in the body
59 or any(recipients.to,
60 strings.icontains(body.current_thread.text,
61 .email.local_part
62 )
63 )
64
65 // or the body is null
66 or body.current_thread.text is null
67 or body.current_thread.text == ""
68
69 // or the subject contains authentication/urgency verbiage
70 or regex.contains(subject.subject,
71 "(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)"
72 )
73 )
74 and (.email.domain.valid or strings.icontains(.display_name, "undisclosed"))
75 )
76 )
77 )
78 )
79 )
80 and (
81 not any(headers.hops,
82 .authentication_results.compauth.verdict is not null
83 and .authentication_results.compauth.verdict == "pass"
84 and sender.email.domain.domain == "microsoft.com"
85 )
86 )
87 and (
88 not profile.by_sender().solicited
89 or (
90 profile.by_sender().any_messages_malicious_or_spam
91 and not profile.by_sender().any_false_positives
92 )
93 )
94
95 and not profile.by_sender().any_false_positives
96
97attack_types:
98 - "Credential Phishing"
99tactics_and_techniques:
100 - "Impersonation: Brand"
101 - "PDF"
102 - "QR code"
103 - "Social engineering"
104detection_methods:
105 - "Computer Vision"
106 - "Header analysis"
107 - "QR code analysis"
108 - "Sender analysis"
109id: "ed0f772a-6543-5947-80d1-55a11ea63074"