Brand Impersonation: Microsoft Planner With Suspicious Link

Impersonation of Microsoft Planner, a component of the Microsoft 365 software suite.

Sublime rule (View on GitHub)

  1name: "Brand Impersonation: Microsoft Planner With Suspicious Link"
  2description: "Impersonation of Microsoft Planner, a component of the Microsoft 365 software suite."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  // suspicious link 
  8  and any(body.links,
  9          (
 10            .href_url.domain.root_domain not in $tranco_1m
 11            or .href_url.domain.domain in $free_file_hosts
 12            or .href_url.domain.root_domain in $free_file_hosts
 13            or .href_url.domain.root_domain in $free_subdomain_hosts
 14            or .href_url.domain.domain in $url_shorteners
 15            or 
 16  
 17            // mass mailer link, masks the actual URL
 18            .href_url.domain.root_domain in (
 19              "hubspotlinks.com",
 20              "mandrillapp.com",
 21              "sendgrid.net",
 22              "rs6.net"
 23            )
 24  
 25            // Google AMP redirect
 26            or (
 27              .href_url.domain.sld == "google"
 28              and strings.starts_with(.href_url.path, "/amp/")
 29            )
 30  
 31            // Recipient email address in link
 32            or any(body.links,
 33                   any(recipients.to,
 34                       strings.icontains(..href_url.url, .email.email)
 35                       and any(recipients.to, .email.domain.valid)
 36                   )
 37            )
 38            or .href_url.domain.root_domain == "beehiiv.com"
 39          )
 40  
 41          // exclude sources of potential FPs
 42          and (
 43            .href_url.domain.root_domain not in (
 44              "svc.ms",
 45              "sharepoint.com",
 46              "1drv.ms",
 47              "microsoft.com",
 48              "aka.ms",
 49              "msftauthimages.net",
 50              "mimecastprotect.com",
 51              "office.com",
 52              "microsoftproject.com"
 53            )
 54            or any(body.links, .href_url.domain.domain in $free_file_hosts)
 55          )
 56          and .href_url.domain.root_domain not in $org_domains
 57          and .href_url.domain.valid
 58          and regex.icontains(.display_text,
 59                              "(go.?to|view|show|display|access) (team|planner|group|task)"
 60          )
 61  )
 62  
 63  // not a reply
 64  and (
 65    length(headers.references) == 0
 66    or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
 67  )
 68  
 69  // Planner logo
 70  // LogoDetect coming soon
 71  and (
 72    all(attachments,
 73        .file_type in $file_types_images
 74        and any(file.explode(.),
 75                // small, relatively square image
 76                (
 77                  .scan.exiftool.image_height / .scan.exiftool.image_width
 78                ) > 0.9
 79                and (.scan.exiftool.image_height + .scan.exiftool.image_width) < 500
 80        )
 81    )
 82  )
 83  
 84  // suspicious content
 85  and (
 86    2 of (
 87      strings.ilike(body.current_thread.text, "*assigned*new team*"),
 88      strings.ilike(body.current_thread.text, "*Microsoft Office 365*"),
 89      strings.ilike(body.current_thread.text, "*internal planner*")
 90    )
 91    or (
 92      any(ml.nlu_classifier(body.current_thread.text).intents,
 93          .name == "cred_theft" and .confidence in~ ("medium", "high")
 94      )
 95    )
 96  )
 97  and sender.email.domain.root_domain not in (
 98    "bing.com",
 99    "microsoft.com",
100    "microsoftonline.com",
101    "microsoftproject.com",
102    "microsoftstoreemail.com",
103    "microsoftsupport.com",
104    "microsoft365.com",
105    "office.com",
106    "office365.com",
107    "onedrive.com",
108    "sharepointonline.com",
109    "yammer.com",
110  )
111  
112  // negate highly trusted sender domains unless they fail DMARC authentication
113  and (
114    (
115      sender.email.domain.root_domain in $high_trust_sender_root_domains
116      and not headers.auth_summary.dmarc.pass
117    )
118    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
119  )
120  and (
121    not profile.by_sender().solicited
122    or (
123      profile.by_sender().any_messages_malicious_or_spam
124      and not profile.by_sender().any_false_positives
125    )
126  )
127  and not profile.by_sender().any_false_positives
128  
129  // exclude marketing jargon from ms partners
130  and not regex.icontains(body.current_thread.text,
131                          '(schedul(e|ing)|set up).{0,20}(call|meeting|demo|zoom|conversation|time|tool|discussion)|book.{0,10}(meeting|demo|call|slot|time)|connect.{0,12}(with me|phone|email)|my.{0,10}(calendar|cal)|reserve.{0,10}s[pl]ot|break the ice|want to know more?|miss your chance|if you no longer wish|if you no longer want|if you wish to opt out|low-code (development|approach|solution|journey|platform)|invite.{0,30}(webinar|presentation)'
132  )  
133
134attack_types:
135  - "Credential Phishing"
136tactics_and_techniques:
137  - "Evasion"
138  - "Image as content"
139  - "Impersonation: Brand"
140  - "Social engineering"
141detection_methods:
142  - "Content analysis"
143  - "Header analysis"
144  - "Natural Language Understanding"
145  - "Sender analysis"
146  - "URL analysis"
147id: "ea363c08-479f-5437-9b5d-3d9e07098200"
to-top