Attachment: Microsoft impersonation via PDF with link and suspicious language

 1name: "Attachment: Microsoft impersonation via PDF with link and suspicious language"
 2description: "Attached PDF contains a Microsoft-affilated logo, suspicious language or keywords, and a link. Known malware delivery method."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and (
 8    any(attachments,
 9        (.file_extension == "pdf" or .file_type == "pdf")
10        and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
11    )
12  )
13  and any(attachments,
14          (.file_extension == "pdf" or .file_type == "pdf")
15          and any(file.explode(.),
16                  (
17                    length(filter([
18                                    "password",
19                                    "unread messages",
20                                    "Shared Documents",
21                                    "expiration",
22                                    "expire",
23                                    "expiring",
24                                    "kindly",
25                                    "renew",
26                                    "review",
27                                    "emails failed",
28                                    "kicked out",
29                                    "prevented",
30                                    "storage",
31                                    "required now",
32                                    "cache",
33                                    "qr code",
34                                    "security update",
35                                    "invoice",
36                                    "retrieve",
37                                    'engine failed',
38                                    'OneDrive Error',
39                                    'problem connecting',                                  
40                                    'secure file',
41                                    'access'
42                                  ],
43                                  strings.icontains(..scan.ocr.raw, .)
44                           )
45                    ) >= 2
46                    or any(ml.nlu_classifier(.scan.ocr.raw).intents,
47                           .name == "cred_theft" and .confidence == "high"
48                    )
49                  )
50                  and (length(.scan.url.urls) > 0 or length(.scan.pdf.urls) > 0)
51          )
52  )
53  and (
54    not any(headers.hops,
55            .authentication_results.compauth.verdict is not null
56            and .authentication_results.compauth.verdict == "pass"
57            and sender.email.domain.domain in (
58              "microsoft.com",
59              "sharepointonline.com"
60            )
61    )
62  )
63  // negate highly trusted sender domains unless they fail DMARC authentication
64  and (
65    (
66      sender.email.domain.root_domain in $high_trust_sender_root_domains
67      and not headers.auth_summary.dmarc.pass
68    )
69    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
70  )  
71
72tags:
73  - "Malfam: Pikabot"
74attack_types:
75  - "Credential Phishing"
76  - "Malware/Ransomware"
77tactics_and_techniques:
78  - "Image as content"
79  - "Impersonation: Brand"
80  - "PDF"
81  - "Scripting"
82  - "Social engineering"
83detection_methods:
84  - "Computer Vision"
85  - "File analysis"
86  - "Header analysis"
87  - "Natural Language Understanding"
88  - "Sender analysis"
89id: "70d41c7f-19ba-5a4d-9eb6-3682eb655314"