Brand impersonation: Microsoft (QR code)

Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Microsoft (QR code)"
 2description: |
 3    Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and (
 9    any(attachments,
10        .file_type in $file_types_images
11        and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
12    )
13    or any(ml.logo_detect(beta.message_screenshot()).brands, strings.starts_with(.name, "Microsoft"))
14  )
15  and any(attachments,
16          .file_type in $file_types_images
17          and (
18            any(file.explode(.),
19                regex.icontains(.scan.ocr.raw, 'scan|camera')
20                and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
21            )
22          )
23          or (
24            any(file.explode(.),
25                .scan.qr.type == "url"
26                // recipient email address is present in the URL, a common tactic used in credential phishing attacks 
27                and any(recipients.to, strings.icontains(..scan.qr.data, .email.email))
28            )
29          )
30  )
31  and (
32    not any(headers.hops,
33            .authentication_results.compauth.verdict is not null
34            and .authentication_results.compauth.verdict == "pass"
35            and sender.email.domain.domain == "microsoft.com"
36    )
37  )
38  // unsolicited
39  and (
40    (
41      sender.email.domain.root_domain in $free_email_providers
42      and sender.email.email not in $recipient_emails
43    )
44    or (
45      sender.email.domain.root_domain not in $free_email_providers
46      and sender.email.domain.domain not in $recipient_domains
47    )
48  )  
49attack_types:
50  - "Credential Phishing"
51tactics_and_techniques:
52  - "Impersonation: Brand"
53  - "QR code"
54  - "Social engineering"
55detection_methods:
56  - "Computer Vision"
57  - "Header analysis"
58  - "QR code analysis"
59  - "Sender analysis"
60id: "ed0f772a-6543-5947-80d1-55a11ea63074"
to-top