Attachment: Microsoft impersonation via PDF with link and suspicious language

 1name: "Attachment: Microsoft impersonation via PDF with link and suspicious language"
 2description: "Attached PDF contains a Microsoft-affilated logo, suspicious language or keywords, and a link. Known malware delivery method."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and (
 8    any(attachments,
 9        (.file_extension == "pdf" or .file_type == "pdf")
10        and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
11    )
12  )
13  and any(attachments,
14          (.file_extension == "pdf" or .file_type == "pdf")
15          and any(file.explode(.),
16                  (
17                    length(filter([
18                                    "password",
19                                    "unread messages",
20                                    "Shared Documents",
21                                    "expiration",
22                                    "expire",
23                                    "expiring",
24                                    "kindly",
25                                    "renew",
26                                    "review",
27                                    "emails failed",
28                                    "kicked out",
29                                    "prevented",
30                                    "storage",
31                                    "required now",
32                                    "cache",
33                                    "qr code",
34                                    "security update",
35                                    "invoice",
36                                    "retrieve",
37                                    'engine failed',
38                                    'OneDrive Error',
39                                    'problem connecting',                                  
40                                    'secure file',
41                                    'access'
42                                  ],
43                                  strings.icontains(..scan.ocr.raw, .)
44                           )
45                    ) >= 2
46                    or any(ml.nlu_classifier(.scan.ocr.raw).intents,
47                           .name == "cred_theft" and .confidence == "high"
48                    )
49                  )
50                  and (length(.scan.url.urls) > 0 or length(.scan.pdf.urls) > 0)
51          )
52  )
53  and (
54    not any(headers.hops,
55            .authentication_results.compauth.verdict is not null
56            and .authentication_results.compauth.verdict == "pass"
57            and sender.email.domain.domain in (
58              "microsoft.com",
59              "sharepointonline.com"
60            )
61    )
62  )
63  and (
64    not profile.by_sender().solicited
65    or (
66      profile.by_sender().any_messages_malicious_or_spam
67      and not profile.by_sender().any_false_positives
68    )
69  )
70  
71  // negate highly trusted sender domains unless they fail DMARC authentication
72  and (
73    (
74      sender.email.domain.root_domain in $high_trust_sender_root_domains
75      and not headers.auth_summary.dmarc.pass
76    )
77    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
78  )
79  and not profile.by_sender().any_false_positives  
80
81tags:
82  - "Malfam: Pikabot"
83attack_types:
84  - "Credential Phishing"
85  - "Malware/Ransomware"
86tactics_and_techniques:
87  - "Image as content"
88  - "Impersonation: Brand"
89  - "PDF"
90  - "Scripting"
91  - "Social engineering"
92detection_methods:
93  - "Computer Vision"
94  - "File analysis"
95  - "Header analysis"
96  - "Natural Language Understanding"
97  - "Sender analysis"
98id: "70d41c7f-19ba-5a4d-9eb6-3682eb655314"