Attachment: Microsoft 365 Credential Phishing
Looks for messages with an image attachment that contains words related to Microsoft, Office365, and passwords.
Sublime rule (View on GitHub)
1name: "Attachment: Microsoft 365 Credential Phishing"
2description: |
3 Looks for messages with an image attachment that contains words related to Microsoft, Office365, and passwords.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and length(filter(attachments, .file_type not in $file_types_images)) == 0
9 and (
10 any(attachments,
11 .file_type in $file_types_images
12 and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
13 )
14 or any(attachments,
15 .file_type in $file_types_images
16 and any(file.explode(.),
17 strings.ilike(.scan.ocr.raw, "*microsoft*", "*office")
18 )
19 )
20 )
21 and any(attachments,
22 .file_type in $file_types_images
23 and any(file.explode(.),
24 length(filter([
25 "password",
26 "unread messages",
27 "Shared Documents",
28 "expiration",
29 "expire",
30 "expiring",
31 "kindly",
32 "renew",
33 "review",
34 "emails failed",
35 "kicked out",
36 "prevented",
37 "storage",
38 "required now",
39 "cache",
40 "qr code",
41 "security update",
42 "invoice",
43 "retrieve",
44 "blocked"
45 ],
46 strings.icontains(..scan.ocr.raw, .)
47 )
48 ) >= 2
49 or (
50 any(ml.nlu_classifier(.scan.ocr.raw).intents,
51 .name == "cred_theft" and .confidence == "high"
52 )
53 and length(ml.nlu_classifier(.scan.ocr.raw).entities) > 1
54 )
55 )
56 )
57 and (
58 not any(headers.hops,
59 .authentication_results.compauth.verdict is not null
60 and .authentication_results.compauth.verdict == "pass"
61 and sender.email.domain.domain in (
62 "microsoft.com",
63 "sharepointonline.com"
64 )
65 )
66 )
67
68 // negate angelbeat urls and microsoft disclaimer links
69 and (
70 length(body.links) > 0
71 and not all(body.links,
72 .href_url.domain.root_domain in (
73 "abeatinfo.com",
74 "abeatinvite.com",
75 "aka.ms",
76 "angelbeat.com"
77 )
78 )
79 )
80 and (
81 not profile.by_sender().solicited
82 or (
83 profile.by_sender().any_messages_malicious_or_spam
84 and not profile.by_sender().any_false_positives
85 )
86 )
87
88 // negate highly trusted sender domains unless they fail DMARC authentication
89 and (
90 (
91 sender.email.domain.root_domain in $high_trust_sender_root_domains
92 and not headers.auth_summary.dmarc.pass
93 )
94 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
95 )
96 and not profile.by_sender().any_false_positives
97
98attack_types:
99 - "Credential Phishing"
100tactics_and_techniques:
101 - "Impersonation: Brand"
102 - "Social engineering"
103detection_methods:
104 - "Content analysis"
105 - "File analysis"
106 - "Header analysis"
107 - "Optical Character Recognition"
108 - "Sender analysis"
109id: "edce0229-5e8f-5359-a5c8-36570840049f"