Brand impersonation: Microsoft (QR code)

Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Microsoft (QR code)"
  2description: |
  3    Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
  4type: "rule"
  5severity: "high"
  6source: |
  7  type.inbound
  8  and (
  9    any(attachments,
 10        (
 11          .file_type in $file_types_images
 12          or .file_type == "pdf"
 13          or .file_type in~ $file_extensions_macros
 14        )
 15        and (
 16          any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
 17          or any(file.explode(.),
 18                 // for Office documents
 19                 .flavors.mime == "text/xml"
 20                 and any(.scan.strings.strings,
 21                         regex.icontains(.,
 22                                         'Microsoft\s*(?:\w+(?:\s*\w+)?|[[:punct:]]+|\s+){0,3}\s*(?:Authenticat(?:e|or|ion)|2fa|Multi.Factor|(?:qr|bar).code|action.require|alert|Att(?:n|ention))'
 23                         )
 24                 )
 25          )
 26        )
 27    )
 28    or any(ml.logo_detect(beta.message_screenshot()).brands,
 29           strings.starts_with(.name, "Microsoft")
 30    )
 31    or (
 32      // limited body length 
 33      length(body.current_thread.text) < 300
 34      and any(filter(attachments,
 35                     .file_type in $file_types_images
 36                     // image attachments that are displayed in the body
 37                     // when the content-id is corrected, this will be much more simple
 38                     and 
 39                     (
 40                      any(regex.extract(.content_id, '^<(?P<cid>[^\>]+)\>$'),
 41                              strings.icontains(body.html.raw,
 42                                                .named_groups["cid"]
 43                              )
 44                      )
 45                      or strings.icontains(body.html.raw, .content_id)
 46                     )
 47              ),
 48              // those images contain the wording
 49              any(file.explode(.),
 50                  regex.icontains(.scan.ocr.raw,
 51                                  'Microsoft\s*(?:\w+(?:\s*\w+)?|[[:punct:]]+|\s+){0,3}\s*(?:Authenticat(?:e|or|ion)|2fa|Multi.Factor|(?:qr|bar).code|action.require|alert|Att(?:n|ention))'
 52                  )
 53              )
 54      )
 55    )
 56  )
 57  and any(attachments,
 58          (
 59            .file_type in $file_types_images
 60            or .file_type == "pdf"
 61            or .file_type in $file_extensions_macros
 62          )
 63          and (
 64            any(file.explode(.),
 65                regex.icontains(.scan.ocr.raw, 'scan|camera')
 66                and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
 67            )
 68            or (
 69              any(file.explode(.),
 70                  .scan.qr.type == "url"
 71                  // recipient email address is present in the URL, a common tactic used in credential phishing attacks 
 72                  and any(recipients.to,
 73                          (
 74                            (strings.icontains(..scan.qr.data, .email.email))
 75  
 76                            // the recipients sld is in the senders display name
 77                            or any(recipients.to,
 78                                   strings.icontains(sender.display_name,
 79                                                     .email.domain.sld
 80                                   )
 81                            )
 82  
 83                            // the recipient local is in the body  
 84                            or any(recipients.to,
 85                                   strings.icontains(body.current_thread.text,
 86                                                     .email.local_part
 87                                   )
 88                            )
 89  
 90                            // or the body is null 
 91                            or body.current_thread.text is null
 92                            or body.current_thread.text == ""
 93  
 94                            // or the subject contains authentication/urgency verbiage
 95                            or regex.contains(subject.subject,
 96                                              "(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)"
 97                            )
 98                          )
 99                          and (
100                            .email.domain.valid
101                            or strings.icontains(.display_name, "undisclosed")
102                          )
103                  )
104              )
105            )
106          )
107  )
108  and (
109    not any(headers.hops,
110            .authentication_results.compauth.verdict is not null
111            and .authentication_results.compauth.verdict == "pass"
112            and sender.email.domain.domain == "microsoft.com"
113    )
114  )
115  and (
116    not profile.by_sender().solicited
117    or (
118      profile.by_sender().any_messages_malicious_or_spam
119      and not profile.by_sender().any_false_positives
120    )
121  )
122  and not profile.by_sender().any_false_positives  
123
124attack_types:
125  - "Credential Phishing"
126tactics_and_techniques:
127  - "Impersonation: Brand"
128  - "PDF"
129  - "QR code"
130  - "Social engineering"
131detection_methods:
132  - "Computer Vision"
133  - "Header analysis"
134  - "QR code analysis"
135  - "Sender analysis"
136id: "ed0f772a-6543-5947-80d1-55a11ea63074"
to-top