Attachment: Microsoft 365 Credential Phishing
Looks for messages with an image attachment that contains words related to Microsoft, Office365, and passwords.
Sublime rule (View on GitHub)
1name: "Attachment: Microsoft 365 Credential Phishing"
2description: |
3 Looks for messages with an image attachment that contains words related to Microsoft, Office365, and passwords.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and length(filter(attachments, .file_type not in $file_types_images)) == 0
9 and (
10 any(attachments,
11 .file_type in $file_types_images
12 and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
13 )
14 or any(attachments,
15 .file_type in $file_types_images
16 and any(file.explode(.),
17 strings.ilike(.scan.ocr.raw, "*microsoft*", "*office")
18 )
19 )
20 )
21 and any(attachments,
22 .file_type in $file_types_images
23 and any(file.explode(.),
24 length(filter([
25 "password",
26 "unread messages",
27 "Shared Documents",
28 "expiration",
29 "expire",
30 "expiring",
31 "kindly",
32 "renew",
33 "review",
34 "emails failed",
35 "kicked out",
36 "prevented",
37 "storage",
38 "required now",
39 "cache",
40 "qr code",
41 "security update",
42 "invoice",
43 "retrieve",
44 "blocked"
45 ],
46 strings.icontains(..scan.ocr.raw, .)
47 )
48 ) >= 2
49 or (
50 any(ml.nlu_classifier(.scan.ocr.raw).intents,
51 .name == "cred_theft" and .confidence == "high"
52 )
53 and length(ml.nlu_classifier(.scan.ocr.raw).entities) > 1
54 )
55 )
56 )
57 and (
58 not any(headers.hops,
59 .authentication_results.compauth.verdict is not null
60 and .authentication_results.compauth.verdict == "pass"
61 and sender.email.domain.domain in (
62 "microsoft.com",
63 "sharepointonline.com"
64 )
65 )
66 )
67
68 // negate angelbeat urls and microsoft disclaimer links
69 and (
70 length(body.links) > 0
71 and not all(body.links,
72 .href_url.domain.root_domain in (
73 "abeatinfo.com",
74 "abeatinvite.com",
75 "aka.ms",
76 "angelbeat.com"
77 )
78 )
79 )
80
81 // negate replies
82 and (
83 (
84 (
85 length(headers.references) > 0
86 or not any(headers.hops,
87 any(.fields, strings.ilike(.name, "In-Reply-To"))
88 )
89 )
90 and not (
91 (
92 strings.istarts_with(subject.subject, "RE:")
93 or strings.istarts_with(subject.subject, "R:")
94 or strings.istarts_with(subject.subject, "ODG:")
95 or strings.istarts_with(subject.subject, "答复:")
96 or strings.istarts_with(subject.subject, "AW:")
97 or strings.istarts_with(subject.subject, "TR:")
98 or strings.istarts_with(subject.subject, "FWD:")
99 or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
100 )
101 )
102 )
103 or length(headers.references) == 0
104 )
105
106 and (
107 not profile.by_sender().solicited
108 or (
109 profile.by_sender().any_messages_malicious_or_spam
110 and not profile.by_sender().any_false_positives
111 )
112 )
113
114 // negate highly trusted sender domains unless they fail DMARC authentication
115 and (
116 (
117 sender.email.domain.root_domain in $high_trust_sender_root_domains
118 and not headers.auth_summary.dmarc.pass
119 )
120 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
121 )
122 and not profile.by_sender().any_false_positives
123
124attack_types:
125 - "Credential Phishing"
126tactics_and_techniques:
127 - "Impersonation: Brand"
128 - "Social engineering"
129detection_methods:
130 - "Content analysis"
131 - "File analysis"
132 - "Header analysis"
133 - "Optical Character Recognition"
134 - "Sender analysis"
135id: "edce0229-5e8f-5359-a5c8-36570840049f"