Attachment: Office365 image (unsolicited)

Sep 5, 2023 ·
Looks for messages with an image attachment that contains words related to Microsoft, Office365, and passwords.
Sublime rule (View on GitHub)

 1name: "Attachment: Office365 image (unsolicited)"
 2description: |
 3    Looks for messages with an image attachment that contains words related to Microsoft, Office365, and passwords.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and length(filter(attachments, .file_type not in $file_types_images)) == 0
 9  and (
10    any(attachments,
11        .file_type in $file_types_images
12        and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
13    )
14    or any(attachments,
15           .file_type in $file_types_images
16           and any(file.explode(.), strings.ilike(.scan.ocr.raw, "*microsoft*", "*office"))
17    )
18  )
19  and any(attachments,
20          .file_type in $file_types_images
21          and any(file.explode(.),
22                  length(filter([
23                                  "password",
24                                  "unread messages",
25                                  "Shared Documents",
26                                  "expiration",
27                                  "office",
28                                  "expire",
29                                  "expiring",
30                                  "kindly",
31                                  "renew",
32                                  "review",
33                                  "emails failed",
34                                  "kicked out",
35                                  "prevented",
36                                  "storage",
37                                  "required now",
38                                  "cache",
39                                  "qr code",
40                                  "security update",
41                                  "invoice",
42                                  "retrieve"
43
44                                ],
45                                strings.icontains(..scan.ocr.raw, .)
46                         )
47                  ) >= 2
48          )
49  )
50  and (
51    not any(headers.hops,
52            .authentication_results.compauth.verdict is not null
53            and .authentication_results.compauth.verdict == "pass"
54            and sender.email.domain.domain in ("microsoft.com", "sharepointonline.com")
55    )
56  )
57  // unsolicited
58  and (
59    (
60      sender.email.domain.root_domain in $free_email_providers
61      and sender.email.email not in $recipient_emails
62    )
63    or (
64      sender.email.domain.root_domain not in $free_email_providers
65      and sender.email.domain.domain not in $recipient_domains
66    )
67  )  
68attack_types:
69  - "Credential Phishing"
70tactics_and_techniques:
71  - "Impersonation: Brand"
72  - "Social engineering"
73detection_methods:
74  - "Content analysis"
75  - "File analysis"
76  - "Header analysis"
77  - "Optical Character Recognition"
78  - "Sender analysis"
79id: "edce0229-5e8f-5359-a5c8-36570840049f"