Brand impersonation: Microsoft (QR code)
Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Microsoft (QR code)"
2description: |
3 Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and (
9 any(attachments,
10 (
11 .file_type in $file_types_images
12 or .file_type == "pdf"
13 or .file_type in~ $file_extensions_macros
14 )
15 and (
16 any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
17 or any(file.explode(.),
18 // for Office documents
19 .flavors.mime == "text/xml"
20 and any(.scan.strings.strings,
21 regex.icontains(.,
22 'Microsoft\s*(?:\w+(?:\s*\w+)?|[[:punct:]]+|\s+){0,3}\s*(?:Authenticat(?:e|or|ion)|2fa|Multi.Factor|(?:qr|bar).code|action.require|alert|Att(?:n|ention))'
23 )
24 )
25 )
26 )
27 )
28 or any(ml.logo_detect(beta.message_screenshot()).brands,
29 strings.starts_with(.name, "Microsoft")
30 )
31 or (
32 // limited body length
33 length(body.current_thread.text) < 300
34 and any(filter(attachments,
35 .file_type in $file_types_images
36 // image attachments that are displayed in the body
37 // when the content-id is corrected, this will be much more simple
38 and
39 (
40 any(regex.extract(.content_id, '^<(?P<cid>[^\>]+)\>$'),
41 strings.icontains(body.html.raw,
42 .named_groups["cid"]
43 )
44 )
45 or strings.icontains(body.html.raw, .content_id)
46 )
47 ),
48 // those images contain the wording
49 any(file.explode(.),
50 regex.icontains(.scan.ocr.raw,
51 'Microsoft\s*(?:\w+(?:\s*\w+)?|[[:punct:]]+|\s+){0,3}\s*(?:Authenticat(?:e|or|ion)|2fa|Multi.Factor|(?:qr|bar).code|action.require|alert|Att(?:n|ention))'
52 )
53 )
54 )
55 )
56 )
57 and any(attachments,
58 (
59 .file_type in $file_types_images
60 or .file_type == "pdf"
61 or .file_type in $file_extensions_macros
62 )
63 and (
64 any(file.explode(.),
65 regex.icontains(.scan.ocr.raw, 'scan|camera')
66 and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
67 )
68 or (
69 any(file.explode(.),
70 .scan.qr.type == "url"
71 // recipient email address is present in the URL, a common tactic used in credential phishing attacks
72 and any(recipients.to,
73 (
74 (strings.icontains(..scan.qr.data, .email.email))
75
76 // the recipients sld is in the senders display name
77 or any(recipients.to,
78 strings.icontains(sender.display_name,
79 .email.domain.sld
80 )
81 )
82
83 // the recipient local is in the body
84 or any(recipients.to,
85 strings.icontains(body.current_thread.text,
86 .email.local_part
87 )
88 )
89
90 // or the body is null
91 or body.current_thread.text is null
92 or body.current_thread.text == ""
93
94 // or the subject contains authentication/urgency verbiage
95 or regex.contains(subject.subject,
96 "(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)"
97 )
98 )
99 and (
100 .email.domain.valid
101 or strings.icontains(.display_name, "undisclosed")
102 )
103 )
104 )
105 )
106 )
107 )
108 and (
109 not any(headers.hops,
110 .authentication_results.compauth.verdict is not null
111 and .authentication_results.compauth.verdict == "pass"
112 and sender.email.domain.domain == "microsoft.com"
113 )
114 )
115 and (
116 not profile.by_sender().solicited
117 or (
118 profile.by_sender().any_messages_malicious_or_spam
119 and not profile.by_sender().any_false_positives
120 )
121 )
122 and not profile.by_sender().any_false_positives
123
124attack_types:
125 - "Credential Phishing"
126tactics_and_techniques:
127 - "Impersonation: Brand"
128 - "PDF"
129 - "QR code"
130 - "Social engineering"
131detection_methods:
132 - "Computer Vision"
133 - "Header analysis"
134 - "QR code analysis"
135 - "Sender analysis"
136id: "ed0f772a-6543-5947-80d1-55a11ea63074"