Attachment: Microsoft 365 Credential Phishing

Looks for messages with an image attachment that contains words related to Microsoft, Office365, and passwords.

Sublime rule (View on GitHub)

  1name: "Attachment: Microsoft 365 Credential Phishing"
  2description: |
  3    Looks for messages with an image attachment that contains words related to Microsoft, Office365, and passwords.
  4type: "rule"
  5severity: "high"
  6source: |
  7  type.inbound
  8  and length(filter(attachments, .file_type not in $file_types_images)) == 0
  9  and (
 10    any(attachments,
 11        .file_type in $file_types_images
 12        and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
 13    )
 14    or any(attachments,
 15           .file_type in $file_types_images
 16           and any(file.explode(.),
 17                   strings.ilike(.scan.ocr.raw, "*microsoft*", "*office")
 18                   and length(.scan.ocr.raw) < 1500
 19           )
 20    )
 21  )
 22  and any(attachments,
 23          .file_type in $file_types_images
 24          and any(file.explode(.),
 25                  length(filter([
 26                                  "password",
 27                                  "unread messages",
 28                                  "Shared Documents",
 29                                  "expiration",
 30                                  "expire",
 31                                  "expiring",
 32                                  "kindly",
 33                                  "renew",
 34                                  "review",
 35                                  "emails failed",
 36                                  "kicked out",
 37                                  "prevented",
 38                                  "storage",
 39                                  "required now",
 40                                  "cache",
 41                                  "qr code",
 42                                  "security update",
 43                                  "invoice",
 44                                  "retrieve",
 45                                  "blocked"
 46                                ],
 47                                strings.icontains(..scan.ocr.raw, .)
 48                         )
 49                  ) >= 2
 50                  or (
 51                    any(ml.nlu_classifier(.scan.ocr.raw).intents,
 52                        .name == "cred_theft" and .confidence == "high"
 53                    )
 54                  and length(ml.nlu_classifier(.scan.ocr.raw).entities) > 1
 55                )
 56          )
 57  )
 58  and (
 59    not any(headers.hops,
 60            .authentication_results.compauth.verdict is not null
 61            and .authentication_results.compauth.verdict == "pass"
 62            and sender.email.domain.domain in (
 63              "microsoft.com",
 64              "sharepointonline.com"
 65            )
 66    )
 67  )
 68  
 69  // negate angelbeat urls and microsoft disclaimer links
 70  and (
 71    length(body.links) > 0
 72    and not all(body.links,
 73            .href_url.domain.root_domain in (
 74              "abeatinfo.com",
 75              "abeatinvite.com",
 76              "aka.ms",
 77              "angelbeat.com"
 78            )
 79    )
 80  )
 81  
 82  // negate replies
 83  and (
 84    (
 85      (
 86        length(headers.references) > 0
 87        or not any(headers.hops,
 88                   any(.fields, strings.ilike(.name, "In-Reply-To"))
 89        )
 90      )
 91      and not (
 92        (
 93          strings.istarts_with(subject.subject, "RE:")
 94          or strings.istarts_with(subject.subject, "R:")
 95          or strings.istarts_with(subject.subject, "ODG:")
 96          or strings.istarts_with(subject.subject, "答复:")
 97          or strings.istarts_with(subject.subject, "AW:")
 98          or strings.istarts_with(subject.subject, "TR:")
 99          or strings.istarts_with(subject.subject, "FWD:")
100          or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
101        )
102      )
103    )
104    or length(headers.references) == 0
105  )
106  
107  and (
108    not profile.by_sender().solicited
109    or (
110      profile.by_sender().any_messages_malicious_or_spam
111      and not profile.by_sender().any_false_positives
112    )
113  )
114  
115  // negate highly trusted sender domains unless they fail DMARC authentication
116  and (
117    (
118      sender.email.domain.root_domain in $high_trust_sender_root_domains
119      and not headers.auth_summary.dmarc.pass
120    )
121    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
122  )
123  and not profile.by_sender().any_false_positives  
124
125attack_types:
126  - "Credential Phishing"
127tactics_and_techniques:
128  - "Impersonation: Brand"
129  - "Social engineering"
130detection_methods:
131  - "Content analysis"
132  - "File analysis"
133  - "Header analysis"
134  - "Optical Character Recognition"
135  - "Sender analysis"
136id: "edce0229-5e8f-5359-a5c8-36570840049f"
to-top