Brand impersonation: Microsoft (QR code)
Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Microsoft (QR code)"
2description: |
3 Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and (
9 any(attachments,
10 (
11 .file_type in $file_types_images
12 or .file_type == "pdf"
13 or .file_type in~ $file_extensions_macros
14 )
15 and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
16 )
17 or any(ml.logo_detect(beta.message_screenshot()).brands,
18 strings.starts_with(.name, "Microsoft")
19 )
20 )
21 and any(attachments,
22 (
23 .file_type in $file_types_images
24 or .file_type == "pdf"
25 or .file_type in $file_extensions_macros
26 )
27 and (
28 any(file.explode(.),
29 regex.icontains(.scan.ocr.raw, 'scan|camera')
30 and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
31 )
32 or (
33 any(file.explode(.),
34 .scan.qr.type == "url"
35 // recipient email address is present in the URL, a common tactic used in credential phishing attacks
36 and any(recipients.to,
37 (
38 (strings.icontains(..scan.qr.data, .email.email))
39
40 // the recipients sld is in the senders display name
41 or any(recipients.to,
42 strings.icontains(sender.display_name,
43 .email.domain.sld
44 )
45 )
46
47 // the recipient local is in the body
48 or any(recipients.to,
49 strings.icontains(body.current_thread.text,
50 .email.local_part
51 )
52 )
53
54 // or the body is null
55 or body.current_thread.text is null
56 or body.current_thread.text == ""
57
58 // or the subject contains authentication/urgency verbiage
59 or regex.contains(subject.subject,
60 "(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)"
61 )
62 )
63 and (.email.domain.valid or strings.icontains(.display_name, "undisclosed"))
64 )
65 )
66 )
67 )
68 )
69 and (
70 not any(headers.hops,
71 .authentication_results.compauth.verdict is not null
72 and .authentication_results.compauth.verdict == "pass"
73 and sender.email.domain.domain == "microsoft.com"
74 )
75 )
76 and (
77 not profile.by_sender().solicited
78 or (
79 profile.by_sender().any_messages_malicious_or_spam
80 and not profile.by_sender().any_false_positives
81 )
82 )
83
84 and not profile.by_sender().any_false_positives
85
86attack_types:
87 - "Credential Phishing"
88tactics_and_techniques:
89 - "Impersonation: Brand"
90 - "PDF"
91 - "QR code"
92 - "Social engineering"
93detection_methods:
94 - "Computer Vision"
95 - "Header analysis"
96 - "QR code analysis"
97 - "Sender analysis"
98id: "ed0f772a-6543-5947-80d1-55a11ea63074"