Attachment: Microsoft 365 credential phishing
Looks for messages with an image attachment that contains words related to Microsoft, Office365, and passwords.
Sublime rule (View on GitHub)
1name: "Attachment: Microsoft 365 credential phishing"
2description: |
3 Looks for messages with an image attachment that contains words related to Microsoft, Office365, and passwords.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and length(filter(attachments, .file_type not in $file_types_images)) == 0
9 and (
10 any(attachments,
11 .file_type in $file_types_images
12 and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
13 )
14 or any(attachments,
15 .file_type in $file_types_images
16 and any(file.explode(.),
17 strings.ilike(.scan.ocr.raw, "*microsoft*", "*office")
18 and length(.scan.ocr.raw) < 1500
19 )
20 )
21 )
22 and any(attachments,
23 .file_type in $file_types_images
24 and any(file.explode(.),
25 length(filter([
26 "password",
27 "unread messages",
28 "Shared Documents",
29 "expiration",
30 "expire",
31 "expiring",
32 "kindly",
33 "renew",
34 "review",
35 "emails failed",
36 "kicked out",
37 "prevented",
38 "storage",
39 "required now",
40 "cache",
41 "qr code",
42 "security update",
43 "invoice",
44 "retrieve",
45 "blocked"
46 ],
47 strings.icontains(..scan.ocr.raw, .)
48 )
49 ) >= 2
50 or (
51 any(ml.nlu_classifier(.scan.ocr.raw).intents,
52 .name == "cred_theft" and .confidence == "high"
53 )
54 and length(ml.nlu_classifier(.scan.ocr.raw).entities) > 1
55 )
56 )
57 )
58 and (
59 not any(headers.hops,
60 .authentication_results.compauth.verdict is not null
61 and .authentication_results.compauth.verdict == "pass"
62 and sender.email.domain.domain in (
63 "microsoft.com",
64 "sharepointonline.com"
65 )
66 )
67 )
68
69 // negate angelbeat urls and microsoft disclaimer links
70 and (
71 length(body.links) > 0
72 and not all(body.links,
73 .href_url.domain.root_domain in (
74 "abeatinfo.com",
75 "abeatinvite.com",
76 "aka.ms",
77 "angelbeat.com"
78 )
79 )
80 )
81
82 // negate replies
83 and (
84 (
85 (
86 length(headers.references) > 0
87 or not any(headers.hops,
88 any(.fields, strings.ilike(.name, "In-Reply-To"))
89 )
90 )
91 and not (
92 (
93 strings.istarts_with(subject.subject, "RE:")
94 or strings.istarts_with(subject.subject, "R:")
95 or strings.istarts_with(subject.subject, "ODG:")
96 or strings.istarts_with(subject.subject, "答复:")
97 or strings.istarts_with(subject.subject, "AW:")
98 or strings.istarts_with(subject.subject, "TR:")
99 or strings.istarts_with(subject.subject, "FWD:")
100 or regex.icontains(subject.subject,
101 '^(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:'
102 )
103 )
104 )
105 )
106 or length(headers.references) == 0
107 )
108 and (
109 not profile.by_sender().solicited
110 or (
111 profile.by_sender().any_messages_malicious_or_spam
112 and not profile.by_sender().any_messages_benign
113 )
114 )
115
116 // negate highly trusted sender domains unless they fail DMARC authentication
117 and (
118 (
119 sender.email.domain.root_domain in $high_trust_sender_root_domains
120 and not headers.auth_summary.dmarc.pass
121 )
122 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
123 )
124 and not profile.by_sender().any_messages_benign
125attack_types:
126 - "Credential Phishing"
127tactics_and_techniques:
128 - "Impersonation: Brand"
129 - "Social engineering"
130detection_methods:
131 - "Content analysis"
132 - "File analysis"
133 - "Header analysis"
134 - "Optical Character Recognition"
135 - "Sender analysis"
136id: "edce0229-5e8f-5359-a5c8-36570840049f"