Brand impersonation: Microsoft (QR code)
Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Microsoft (QR code)"
2description: |
3 Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and (
9 any(attachments,
10 (
11 .file_type in $file_types_images
12 or .file_type == "pdf"
13 or .file_type in~ $file_extensions_macros
14 )
15 and (
16 any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
17 or any(file.explode(.),
18 // for Office documents
19 .flavors.mime == "text/xml"
20 and any(.scan.strings.strings,
21 regex.icontains(.,
22 'Microsoft\s*(?:\w+(?:\s*\w+)?|[[:punct:]]+|\s+){0,3}\s*(?:Authenticat(?:e|or|ion)|2fa|Multi.Factor|(?:qr|bar).code|action.require|alert|Att(?:n|ention))'
23 )
24 )
25 )
26 )
27 )
28 or any(ml.logo_detect(beta.message_screenshot()).brands,
29 strings.starts_with(.name, "Microsoft")
30 )
31 or (
32 // limited body length
33 length(body.current_thread.text) < 300
34 and any(filter(attachments,
35 .file_type in $file_types_images
36 // image attachments that are displayed in the body
37 // when the content-id is corrected, this will be much more simple
38 and any(regex.extract(.content_id, '^<(?P<cid>[^\>]+)\>$'),
39 strings.icontains(body.html.raw,
40 .named_groups["cid"]
41 )
42 )
43 ),
44 // those images contain the wording
45 any(file.explode(.),
46 regex.icontains(.scan.ocr.raw,
47 'Microsoft\s*(?:\w+(?:\s*\w+)?|[[:punct:]]+|\s+){0,3}\s*(?:Authenticat(?:e|or|ion)|2fa|Multi.Factor|(?:qr|bar).code|action.require|alert|Att(?:n|ention))'
48 )
49 )
50 )
51 )
52 )
53 and any(attachments,
54 (
55 .file_type in $file_types_images
56 or .file_type == "pdf"
57 or .file_type in $file_extensions_macros
58 )
59 and (
60 any(file.explode(.),
61 regex.icontains(.scan.ocr.raw, 'scan|camera')
62 and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
63 )
64 or (
65 any(file.explode(.),
66 .scan.qr.type == "url"
67 // recipient email address is present in the URL, a common tactic used in credential phishing attacks
68 and any(recipients.to,
69 (
70 (strings.icontains(..scan.qr.data, .email.email))
71
72 // the recipients sld is in the senders display name
73 or any(recipients.to,
74 strings.icontains(sender.display_name,
75 .email.domain.sld
76 )
77 )
78
79 // the recipient local is in the body
80 or any(recipients.to,
81 strings.icontains(body.current_thread.text,
82 .email.local_part
83 )
84 )
85
86 // or the body is null
87 or body.current_thread.text is null
88 or body.current_thread.text == ""
89
90 // or the subject contains authentication/urgency verbiage
91 or regex.contains(subject.subject,
92 "(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)"
93 )
94 )
95 and (
96 .email.domain.valid
97 or strings.icontains(.display_name, "undisclosed")
98 )
99 )
100 )
101 )
102 )
103 )
104 and (
105 not any(headers.hops,
106 .authentication_results.compauth.verdict is not null
107 and .authentication_results.compauth.verdict == "pass"
108 and sender.email.domain.domain == "microsoft.com"
109 )
110 )
111 and (
112 not profile.by_sender().solicited
113 or (
114 profile.by_sender().any_messages_malicious_or_spam
115 and not profile.by_sender().any_false_positives
116 )
117 )
118 and not profile.by_sender().any_false_positives
119
120attack_types:
121 - "Credential Phishing"
122tactics_and_techniques:
123 - "Impersonation: Brand"
124 - "PDF"
125 - "QR code"
126 - "Social engineering"
127detection_methods:
128 - "Computer Vision"
129 - "Header analysis"
130 - "QR code analysis"
131 - "Sender analysis"
132id: "ed0f772a-6543-5947-80d1-55a11ea63074"