Brand impersonation: Microsoft logo or suspicious language with open redirect

calendar Mar 7, 2024  ยท
Share on: linkedin copy

Message contains a Microsoft logo or suspicious terms and use of an open redirect. This has been exploited in the wild to impersonate Microsoft.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Microsoft logo or suspicious language with open redirect"
 2description: |
 3    Message contains a Microsoft logo or suspicious terms and use of an open redirect. This has been exploited in the wild to impersonate Microsoft.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and (length(attachments) < 5 or length(body.links) < 10)
 9  // Microsoft logo
10  and (
11    any(attachments,
12        .file_type in $file_types_images
13        and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
14    )
15    or any(attachments,
16           .file_type in $file_types_images
17           and (
18             any(file.explode(.),
19                 2 of (
20                   strings.ilike(.scan.ocr.raw, "*password*"),
21                   strings.ilike(.scan.ocr.raw, "*unread messages*"),
22                   strings.ilike(.scan.ocr.raw, "*Shared Documents*"),
23                   strings.ilike(.scan.ocr.raw, "*expiration*"),
24                   strings.ilike(.scan.ocr.raw, "*office*"),
25                   strings.ilike(.scan.ocr.raw, "*expire*"),
26                   strings.ilike(.scan.ocr.raw, "*expiring*"),
27                   strings.ilike(.scan.ocr.raw, "*kindly*"),
28                   strings.ilike(.scan.ocr.raw, "*renew*"),
29                   strings.ilike(.scan.ocr.raw, "*review"),
30                   strings.ilike(.scan.ocr.raw, "*emails failed*"),
31                   strings.ilike(.scan.ocr.raw, "*kicked out*"),
32                   strings.ilike(.scan.ocr.raw, "*prevented*"),
33                   strings.ilike(.scan.ocr.raw, "*storage quota*"),
34                   strings.ilike(.scan.ocr.raw, "*required now"),
35                   strings.ilike(.scan.ocr.raw, "*cache*"),
36                   strings.ilike(.scan.ocr.raw, "*qr code*"),
37                   strings.ilike(.scan.ocr.raw, "*barcode*"),
38                   strings.ilike(.scan.ocr.raw, "*security update*"),
39                   strings.ilike(.scan.ocr.raw, "*quarantine*")
40                 )
41             )
42           )
43    )
44  )
45  
46  // open redirect
47  and any(body.links,
48          any(.href_url.rewrite.encoders, strings.icontains(., "open_redirect"))
49          and not .href_url.domain.root_domain in $org_domains
50  )
51  and (
52    not profile.by_sender().solicited
53    or profile.by_sender().any_messages_malicious_or_spam
54  )
55  and not (
56    length(headers.references) > 0
57    or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
58  )
59  and sender.email.domain.root_domain not in $org_domains
60  and sender.email.domain.root_domain not in (
61    "bing.com",
62    "microsoft.com",
63    "microsoftonline.com",
64    "microsoftstoreemail.com",
65    "microsoftsupport.com",
66    "microsoft365.com",
67    "office.com",
68    "onedrive.com",
69    "sharepointonline.com",
70    "yammer.com"
71  )  
72
73attack_types:
74  - "BEC/Fraud"
75tactics_and_techniques:
76  - "Impersonation: Brand"
77  - "Open redirect"
78  - "Social engineering"
79detection_methods:
80  - "Computer Vision"
81  - "Content analysis"
82  - "Header analysis"
83  - "Natural Language Understanding"
84  - "Sender analysis"
85  - "URL analysis"
86id: "27b8d8d8-a117-5d34-b4b0-9adb7c7c971e"
to-top