Brand Impersonation: Microsoft Planner With Suspicious Link
Impersonation of Microsoft Planner, a component of the Microsoft 365 software suite.
Sublime rule (View on GitHub)
1name: "Brand Impersonation: Microsoft Planner With Suspicious Link"
2description: "Impersonation of Microsoft Planner, a component of the Microsoft 365 software suite."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 // suspicious link
8 and any(body.links,
9 (
10 .href_url.domain.root_domain not in $tranco_1m
11 or .href_url.domain.domain in $free_file_hosts
12 or .href_url.domain.root_domain in $free_file_hosts
13 or .href_url.domain.root_domain in $free_subdomain_hosts
14 or .href_url.domain.domain in $url_shorteners
15 or
16
17 // mass mailer link, masks the actual URL
18 .href_url.domain.root_domain in (
19 "hubspotlinks.com",
20 "mandrillapp.com",
21 "sendgrid.net",
22 "rs6.net"
23 )
24
25 // Google AMP redirect
26 or (
27 .href_url.domain.sld == "google"
28 and strings.starts_with(.href_url.path, "/amp/")
29 )
30
31 // Recipient email address in link
32 or any(body.links,
33 any(recipients.to,
34 strings.icontains(..href_url.url, .email.email)
35 and any(recipients.to, .email.domain.valid)
36 )
37 )
38 or .href_url.domain.root_domain == "beehiiv.com"
39 )
40
41 // exclude sources of potential FPs
42 and (
43 .href_url.domain.root_domain not in (
44 "svc.ms",
45 "sharepoint.com",
46 "1drv.ms",
47 "microsoft.com",
48 "aka.ms",
49 "msftauthimages.net",
50 "mimecastprotect.com",
51 "office.com",
52 "microsoftproject.com"
53 )
54 or any(body.links, .href_url.domain.domain in $free_file_hosts)
55 )
56 and .href_url.domain.root_domain not in $org_domains
57 and .href_url.domain.valid
58 and regex.icontains(.display_text,
59 "(go.?to|view|show|display|access|open.?in) (team|planner|group|task|browser)"
60 )
61 )
62
63 // not a reply
64 and (
65 length(headers.references) == 0
66 or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
67 )
68
69 // Planner logo
70 // LogoDetect coming soon
71 and (
72 all(attachments,
73 .file_type in $file_types_images
74 and any(file.explode(.),
75 // small, relatively square image
76 (
77 .scan.exiftool.image_height / .scan.exiftool.image_width
78 ) > 0.9
79 and (.scan.exiftool.image_height + .scan.exiftool.image_width) < 500
80 )
81 )
82 )
83
84 // suspicious content
85 and (
86 2 of (
87 strings.ilike(body.current_thread.text, "*assigned*new team*"),
88 strings.ilike(body.current_thread.text, "*Microsoft Office 365*"),
89 strings.ilike(body.current_thread.text, "*internal planner*"),
90 strings.ilike(body.current_thread.text, "*internal task*"),
91 any(recipients.to,
92 strings.icontains(body.current_thread.text, .email.domain.sld)
93 )
94 )
95 or (
96 any(ml.nlu_classifier(body.current_thread.text).intents,
97 .name == "cred_theft" and .confidence in~ ("medium", "high")
98 )
99 )
100 // multiple links, but all the same root domain
101 or (
102 length(distinct(body.links, .href_url.domain.root_domain)) == 1
103 and 2 < length(body.links) < 10
104 and all(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain)
105 )
106 )
107 and sender.email.domain.root_domain not in (
108 "bing.com",
109 "microsoft.com",
110 "microsoftonline.com",
111 "microsoftproject.com",
112 "microsoftstoreemail.com",
113 "microsoftsupport.com",
114 "microsoft365.com",
115 "office.com",
116 "office365.com",
117 "onedrive.com",
118 "sharepointonline.com",
119 "yammer.com",
120 )
121
122 // negate highly trusted sender domains unless they fail DMARC authentication
123 and (
124 (
125 sender.email.domain.root_domain in $high_trust_sender_root_domains
126 and not headers.auth_summary.dmarc.pass
127 )
128 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
129 )
130 and (
131 not profile.by_sender().solicited
132 or (
133 profile.by_sender().any_messages_malicious_or_spam
134 and not profile.by_sender().any_false_positives
135 )
136 )
137 and not profile.by_sender().any_false_positives
138
139 // exclude marketing jargon from ms partners
140 and not regex.icontains(body.current_thread.text,
141 '(schedul(e|ing)|set up).{0,20}(call|meeting|demo|zoom|conversation|time|tool|discussion)|book.{0,10}(meeting|demo|call|slot|time)|connect.{0,12}(with me|phone|email)|my.{0,10}(calendar|cal)|reserve.{0,10}s[pl]ot|break the ice|want to know more?|miss your chance|if you no longer wish|if you no longer want|if you wish to opt out|low-code (development|approach|solution|journey|platform)|invite.{0,30}(webinar|presentation)'
142 )
143
144attack_types:
145 - "Credential Phishing"
146tactics_and_techniques:
147 - "Evasion"
148 - "Image as content"
149 - "Impersonation: Brand"
150 - "Social engineering"
151detection_methods:
152 - "Content analysis"
153 - "Header analysis"
154 - "Natural Language Understanding"
155 - "Sender analysis"
156 - "URL analysis"
157id: "ea363c08-479f-5437-9b5d-3d9e07098200"