Brand impersonation: Microsoft logo or suspicious language with open redirect

calendar Apr 29, 2026  ยท
Share on: linkedin copy

Message contains a Microsoft logo or suspicious terms and use of an open redirect. This has been exploited in the wild to impersonate Microsoft.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Microsoft logo or suspicious language with open redirect"
 2description: |
 3    Message contains a Microsoft logo or suspicious terms and use of an open redirect. This has been exploited in the wild to impersonate Microsoft.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and (length(attachments) < 5 or length(body.links) < 10)
 9  // Microsoft logo
10  and (
11    any(attachments,
12        .file_type in $file_types_images
13        and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
14    )
15    or any(attachments,
16           .file_type in $file_types_images
17           and (
18             any(file.explode(.),
19                 2 of (
20                   strings.ilike(.scan.ocr.raw, "*password*"),
21                   strings.ilike(.scan.ocr.raw, "*unread messages*"),
22                   strings.ilike(.scan.ocr.raw, "*Shared Documents*"),
23                   strings.ilike(.scan.ocr.raw, "*expiration*"),
24                   strings.ilike(.scan.ocr.raw, "*office*"),
25                   strings.ilike(.scan.ocr.raw, "*expire*"),
26                   strings.ilike(.scan.ocr.raw, "*expiring*"),
27                   strings.ilike(.scan.ocr.raw, "*kindly*"),
28                   strings.ilike(.scan.ocr.raw, "*renew*"),
29                   strings.ilike(.scan.ocr.raw, "*review"),
30                   strings.ilike(.scan.ocr.raw, "*emails failed*"),
31                   strings.ilike(.scan.ocr.raw, "*kicked out*"),
32                   strings.ilike(.scan.ocr.raw, "*prevented*"),
33                   strings.ilike(.scan.ocr.raw, "*storage quota*"),
34                   strings.ilike(.scan.ocr.raw, "*required now"),
35                   strings.ilike(.scan.ocr.raw, "*cache*"),
36                   strings.ilike(.scan.ocr.raw, "*qr code*"),
37                   strings.ilike(.scan.ocr.raw, "*barcode*"),
38                   strings.ilike(.scan.ocr.raw, "*security update*"),
39                   strings.ilike(.scan.ocr.raw, "*quarantine*")
40                 )
41             )
42           )
43    )
44  )
45  
46  // open redirect
47  and any(body.links,
48          any(.href_url.rewrite.encoders, strings.icontains(., "open_redirect"))
49          and not .href_url.domain.root_domain in $org_domains
50  )
51  and not (
52    length(headers.references) > 0
53    or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
54  )
55  and sender.email.domain.root_domain not in $org_domains
56  and sender.email.domain.root_domain not in (
57    "bing.com",
58    "microsoft.com",
59    "microsoftonline.com",
60    "microsoftstoreemail.com",
61    "microsoftsupport.com",
62    "microsoft365.com",
63    "office.com",
64    "onedrive.com",
65    "sharepointonline.com",
66    "yammer.com"
67  )  
68
69attack_types:
70  - "BEC/Fraud"
71tactics_and_techniques:
72  - "Impersonation: Brand"
73  - "Open redirect"
74  - "Social engineering"
75detection_methods:
76  - "Computer Vision"
77  - "Content analysis"
78  - "Header analysis"
79  - "Natural Language Understanding"
80  - "Sender analysis"
81  - "URL analysis"
82id: "27b8d8d8-a117-5d34-b4b0-9adb7c7c971e"
to-top