Brand impersonation: Microsoft logo or suspicious language with open redirect

Message contains a Microsoft logo or suspicious terms and use of an open redirect. This has been exploited in the wild to impersonate Microsoft.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Microsoft logo or suspicious language with open redirect"
 2description: |
 3    Message contains a Microsoft logo or suspicious terms and use of an open redirect. This has been exploited in the wild to impersonate Microsoft.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  
 9  // Microsoft logo
10  and (
11    any(attachments,
12        .file_type in $file_types_images
13        and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
14    )
15    or any(attachments,
16           .file_type in $file_types_images
17           and (
18             any(file.explode(.),
19                 2 of (
20                   strings.ilike(.scan.ocr.raw, "*password*"),
21                   strings.ilike(.scan.ocr.raw, "*unread messages*"),
22                   strings.ilike(.scan.ocr.raw, "*Shared Documents*"),
23                   strings.ilike(.scan.ocr.raw, "*expiration*"),
24                   strings.ilike(.scan.ocr.raw, "*office*"),
25                   strings.ilike(.scan.ocr.raw, "*expire*"),
26                   strings.ilike(.scan.ocr.raw, "*expiring*"),
27                   strings.ilike(.scan.ocr.raw, "*kindly*"),
28                   strings.ilike(.scan.ocr.raw, "*renew*"),
29                   strings.ilike(.scan.ocr.raw, "*review"),
30                   strings.ilike(.scan.ocr.raw, "*emails failed*"),
31                   strings.ilike(.scan.ocr.raw, "*kicked out*"),
32                   strings.ilike(.scan.ocr.raw, "*prevented*"),
33                   strings.ilike(.scan.ocr.raw, "*storage quota*"),
34                   strings.ilike(.scan.ocr.raw, "*required now"),
35                   strings.ilike(.scan.ocr.raw, "*cache*"),
36                   strings.ilike(.scan.ocr.raw, "*qr code*"),
37                   strings.ilike(.scan.ocr.raw, "*barcode*"),
38                   strings.ilike(.scan.ocr.raw, "*security update*"),
39                   strings.ilike(.scan.ocr.raw, "*quarantine*")
40                 )
41             )
42           )
43    )
44  )
45  
46  // open redirect
47  and any(body.links,
48          any(.href_url.rewrite.encoders, strings.icontains(., "open_redirect"))
49          and not .href_url.domain.root_domain in $org_domains
50  )
51  and sender.email.domain.root_domain not in $org_domains
52  and sender.email.domain.root_domain not in (
53    "bing.com",
54    "microsoft.com",
55    "microsoftonline.com",
56    "microsoftsupport.com",
57    "microsoft365.com",
58    "office.com",
59    "onedrive.com",
60    "sharepointonline.com",
61    "yammer.com"
62  )  
63
64attack_types:
65  - "BEC/Fraud"
66tactics_and_techniques:
67  - "Impersonation: Brand"
68  - "Open redirect"
69  - "Social engineering"
70detection_methods:
71  - "Computer Vision"
72  - "Content analysis"
73  - "Header analysis"
74  - "Natural Language Understanding"
75  - "Sender analysis"
76  - "URL analysis"
77id: "27b8d8d8-a117-5d34-b4b0-9adb7c7c971e"
to-top