Brand impersonation: Microsoft (QR code)

 1name: "Brand impersonation: Microsoft (QR code)"
 2description: |
 3    Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and (
 9    any(attachments,
10        (
11          .file_type in $file_types_images
12          or .file_type == "pdf"
13          or .file_type in~ $file_extensions_macros
14        )
15        and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
16    )
17    or any(ml.logo_detect(beta.message_screenshot()).brands,
18           strings.starts_with(.name, "Microsoft")
19    )
20  )
21  and any(attachments,
22          (
23            .file_type in $file_types_images
24            or .file_type == "pdf"
25            or .file_type in $file_extensions_macros
26          )
27          and (
28            any(file.explode(.),
29                regex.icontains(.scan.ocr.raw, 'scan|camera')
30                and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
31            )
32            or (
33              any(file.explode(.),
34                  .scan.qr.type == "url"
35                  // recipient email address is present in the URL, a common tactic used in credential phishing attacks 
36                  and any(recipients.to,
37                          (
38                            (strings.icontains(..scan.qr.data, .email.email))
39  
40                            // the recipients sld is in the senders display name
41                            or any(recipients.to,
42                                   strings.icontains(sender.display_name,
43                                                     .email.domain.sld
44                                   )
45                            )
46  
47                            // the recipient local is in the body  
48                            or any(recipients.to,
49                                   strings.icontains(body.current_thread.text,
50                                                     .email.local_part
51                                   )
52                            )
53  
54                            // or the body is null 
55                            or body.current_thread.text is null
56                            or body.current_thread.text == ""
57  
58                            // or the subject contains authentication/urgency verbiage
59                            or regex.contains(subject.subject,
60                                              "(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)"
61                            )
62                          )
63                          and (.email.domain.valid or strings.icontains(.display_name, "undisclosed"))
64                  )
65              )
66            )
67          )
68  )
69  and (
70    not any(headers.hops,
71            .authentication_results.compauth.verdict is not null
72            and .authentication_results.compauth.verdict == "pass"
73            and sender.email.domain.domain == "microsoft.com"
74    )
75  )
76  and (
77    not profile.by_sender().solicited
78    or (
79      profile.by_sender().any_messages_malicious_or_spam
80      and not profile.by_sender().any_false_positives
81    )
82  )
83
84  and not profile.by_sender().any_false_positives  
85
86attack_types:
87  - "Credential Phishing"
88tactics_and_techniques:
89  - "Impersonation: Brand"
90  - "PDF"
91  - "QR code"
92  - "Social engineering"
93detection_methods:
94  - "Computer Vision"
95  - "Header analysis"
96  - "QR code analysis"
97  - "Sender analysis"
98id: "ed0f772a-6543-5947-80d1-55a11ea63074"