Attachment: Microsoft 365 Credential Phishing
Looks for messages with an image attachment that contains words related to Microsoft, Office365, and passwords.
Sublime rule (View on GitHub)
1name: "Attachment: Microsoft 365 Credential Phishing"
2description: |
3 Looks for messages with an image attachment that contains words related to Microsoft, Office365, and passwords.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and length(filter(attachments, .file_type not in $file_types_images)) == 0
9 and (
10 any(attachments,
11 .file_type in $file_types_images
12 and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
13 )
14 or any(attachments,
15 .file_type in $file_types_images
16 and any(file.explode(.),
17 strings.ilike(.scan.ocr.raw, "*microsoft*", "*office")
18 and length(.scan.ocr.raw) < 1500
19 )
20 )
21 )
22 and any(attachments,
23 .file_type in $file_types_images
24 and any(file.explode(.),
25 length(filter([
26 "password",
27 "unread messages",
28 "Shared Documents",
29 "expiration",
30 "expire",
31 "expiring",
32 "kindly",
33 "renew",
34 "review",
35 "emails failed",
36 "kicked out",
37 "prevented",
38 "storage",
39 "required now",
40 "cache",
41 "qr code",
42 "security update",
43 "invoice",
44 "retrieve",
45 "blocked"
46 ],
47 strings.icontains(..scan.ocr.raw, .)
48 )
49 ) >= 2
50 or (
51 any(ml.nlu_classifier(.scan.ocr.raw).intents,
52 .name == "cred_theft" and .confidence == "high"
53 )
54 and length(ml.nlu_classifier(.scan.ocr.raw).entities) > 1
55 )
56 )
57 )
58 and (
59 not any(headers.hops,
60 .authentication_results.compauth.verdict is not null
61 and .authentication_results.compauth.verdict == "pass"
62 and sender.email.domain.domain in (
63 "microsoft.com",
64 "sharepointonline.com"
65 )
66 )
67 )
68
69 // negate angelbeat urls and microsoft disclaimer links
70 and (
71 length(body.links) > 0
72 and not all(body.links,
73 .href_url.domain.root_domain in (
74 "abeatinfo.com",
75 "abeatinvite.com",
76 "aka.ms",
77 "angelbeat.com"
78 )
79 )
80 )
81
82 // negate replies
83 and (
84 (
85 (
86 length(headers.references) > 0
87 or not any(headers.hops,
88 any(.fields, strings.ilike(.name, "In-Reply-To"))
89 )
90 )
91 and not (
92 (
93 strings.istarts_with(subject.subject, "RE:")
94 or strings.istarts_with(subject.subject, "R:")
95 or strings.istarts_with(subject.subject, "ODG:")
96 or strings.istarts_with(subject.subject, "答复:")
97 or strings.istarts_with(subject.subject, "AW:")
98 or strings.istarts_with(subject.subject, "TR:")
99 or strings.istarts_with(subject.subject, "FWD:")
100 or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
101 )
102 )
103 )
104 or length(headers.references) == 0
105 )
106
107 and (
108 not profile.by_sender().solicited
109 or (
110 profile.by_sender().any_messages_malicious_or_spam
111 and not profile.by_sender().any_false_positives
112 )
113 )
114
115 // negate highly trusted sender domains unless they fail DMARC authentication
116 and (
117 (
118 sender.email.domain.root_domain in $high_trust_sender_root_domains
119 and not headers.auth_summary.dmarc.pass
120 )
121 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
122 )
123 and not profile.by_sender().any_false_positives
124
125attack_types:
126 - "Credential Phishing"
127tactics_and_techniques:
128 - "Impersonation: Brand"
129 - "Social engineering"
130detection_methods:
131 - "Content analysis"
132 - "File analysis"
133 - "Header analysis"
134 - "Optical Character Recognition"
135 - "Sender analysis"
136id: "edce0229-5e8f-5359-a5c8-36570840049f"