Attachment: Microsoft impersonation via PDF with link and suspicious language

Attached PDF contains a Microsoft-affilated logo, suspicious language or keywords, and a link. Known malware delivery method.

Sublime rule (View on GitHub)

  1name: "Attachment: Microsoft impersonation via PDF with link and suspicious language"
  2description: "Attached PDF contains a Microsoft-affilated logo, suspicious language or keywords, and a link. Known malware delivery method."
  3type: "rule"
  4severity: "high"
  5source: |
  6  type.inbound
  7  and (
  8    any(attachments,
  9        (.file_extension == "pdf" or .file_type == "pdf")
 10        and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
 11    )
 12  )
 13  and any(attachments,
 14          (.file_extension == "pdf" or .file_type == "pdf")
 15          and any(file.explode(.),
 16                  (
 17                    length(filter([
 18                                    "password",
 19                                    "unread messages",
 20                                    "Shared Documents",
 21                                    "expiration",
 22                                    "expire",
 23                                    "expiring",
 24                                    "kindly",
 25                                    "renew",
 26                                    "review",
 27                                    "emails failed",
 28                                    "kicked out",
 29                                    "prevented",
 30                                    "storage",
 31                                    "required now",
 32                                    "cache",
 33                                    "qr code",
 34                                    "security update",
 35                                    "invoice",
 36                                    "retrieve",
 37                                    'engine failed',
 38                                    'OneDrive Error',
 39                                    'problem connecting'
 40                                  ],
 41                                  strings.icontains(..scan.ocr.raw, .)
 42                           )
 43                    ) >= 2
 44                    or any(ml.nlu_classifier(.scan.ocr.raw).intents,
 45                           .name == "cred_theft" and .confidence == "high"
 46                    )
 47                  )
 48                  and (length(.scan.url.urls) > 0 or length(.scan.pdf.urls) > 0)
 49          )
 50  )
 51  and (
 52    not any(headers.hops,
 53            .authentication_results.compauth.verdict is not null
 54            and .authentication_results.compauth.verdict == "pass"
 55            and sender.email.domain.domain in (
 56              "microsoft.com",
 57              "sharepointonline.com"
 58            )
 59    )
 60  )
 61  and (
 62    not profile.by_sender().solicited
 63    or (
 64      profile.by_sender().any_messages_malicious_or_spam
 65      and not profile.by_sender().any_false_positives
 66    )
 67  )
 68  
 69  // negate highly trusted sender domains unless they fail DMARC authentication
 70  and (
 71    (
 72      sender.email.domain.root_domain in $high_trust_sender_root_domains
 73      and (
 74        any(distinct(headers.hops, .authentication_results.dmarc is not null),
 75            strings.ilike(.authentication_results.dmarc, "*fail")
 76        )
 77      )
 78    )
 79    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
 80  )
 81  and not profile.by_sender().any_false_positives  
 82
 83tags:
 84  - "Malfam: Pikabot"
 85attack_types:
 86  - "Credential Phishing"
 87  - "Malware/Ransomware"
 88tactics_and_techniques:
 89  - "Image as content"
 90  - "Impersonation: Brand"
 91  - "PDF"
 92  - "Scripting"
 93  - "Social engineering"
 94detection_methods:
 95  - "Computer Vision"
 96  - "File analysis"
 97  - "Header analysis"
 98  - "Natural Language Understanding"
 99  - "Sender analysis"
100id: "70d41c7f-19ba-5a4d-9eb6-3682eb655314"
to-top