Attachment: Microsoft 365 Credential Phishing

  1name: "Attachment: Microsoft 365 Credential Phishing"
  2description: |
  3    Looks for messages with an image attachment that contains words related to Microsoft, Office365, and passwords.
  4type: "rule"
  5severity: "high"
  6source: |
  7  type.inbound
  8  and length(filter(attachments, .file_type not in $file_types_images)) == 0
  9  and (
 10    any(attachments,
 11        .file_type in $file_types_images
 12        and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
 13    )
 14    or any(attachments,
 15           .file_type in $file_types_images
 16           and any(file.explode(.),
 17                   strings.ilike(.scan.ocr.raw, "*microsoft*", "*office")
 18           )
 19    )
 20  )
 21  and any(attachments,
 22          .file_type in $file_types_images
 23          and any(file.explode(.),
 24                  length(filter([
 25                                  "password",
 26                                  "unread messages",
 27                                  "Shared Documents",
 28                                  "expiration",
 29                                  "expire",
 30                                  "expiring",
 31                                  "kindly",
 32                                  "renew",
 33                                  "review",
 34                                  "emails failed",
 35                                  "kicked out",
 36                                  "prevented",
 37                                  "storage",
 38                                  "required now",
 39                                  "cache",
 40                                  "qr code",
 41                                  "security update",
 42                                  "invoice",
 43                                  "retrieve",
 44                                  "blocked"
 45                                ],
 46                                strings.icontains(..scan.ocr.raw, .)
 47                         )
 48                  ) >= 2
 49                  or (
 50                    any(ml.nlu_classifier(.scan.ocr.raw).intents,
 51                        .name == "cred_theft" and .confidence == "high"
 52                    )
 53                  and length(ml.nlu_classifier(.scan.ocr.raw).entities) > 1
 54                )
 55          )
 56  )
 57  and (
 58    not any(headers.hops,
 59            .authentication_results.compauth.verdict is not null
 60            and .authentication_results.compauth.verdict == "pass"
 61            and sender.email.domain.domain in (
 62              "microsoft.com",
 63              "sharepointonline.com"
 64            )
 65    )
 66  )
 67  
 68  // negate angelbeat urls and microsoft disclaimer links
 69  and (
 70    length(body.links) > 0
 71    and not all(body.links,
 72            .href_url.domain.root_domain in (
 73              "abeatinfo.com",
 74              "abeatinvite.com",
 75              "aka.ms",
 76              "angelbeat.com"
 77            )
 78    )
 79  )
 80  and (
 81    not profile.by_sender().solicited
 82    or (
 83      profile.by_sender().any_messages_malicious_or_spam
 84      and not profile.by_sender().any_false_positives
 85    )
 86  )
 87  
 88  // negate highly trusted sender domains unless they fail DMARC authentication
 89  and (
 90    (
 91      sender.email.domain.root_domain in $high_trust_sender_root_domains
 92      and not headers.auth_summary.dmarc.pass
 93    )
 94    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
 95  )
 96  and not profile.by_sender().any_false_positives  
 97
 98attack_types:
 99  - "Credential Phishing"
100tactics_and_techniques:
101  - "Impersonation: Brand"
102  - "Social engineering"
103detection_methods:
104  - "Content analysis"
105  - "File analysis"
106  - "Header analysis"
107  - "Optical Character Recognition"
108  - "Sender analysis"
109id: "edce0229-5e8f-5359-a5c8-36570840049f"