Brand Impersonation: Microsoft Planner With Suspicious Link
Impersonation of Microsoft Planner, a component of the Microsoft 365 software suite.
Sublime rule (View on GitHub)
1name: "Brand Impersonation: Microsoft Planner With Suspicious Link"
2description: "Impersonation of Microsoft Planner, a component of the Microsoft 365 software suite."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 // suspicious link
8 and any(body.links,
9 (
10 .href_url.domain.root_domain not in $tranco_1m
11 or .href_url.domain.domain in $free_file_hosts
12 or .href_url.domain.root_domain in $free_file_hosts
13 or .href_url.domain.root_domain in $free_subdomain_hosts
14 or .href_url.domain.domain in $url_shorteners
15 or
16
17 // mass mailer link, masks the actual URL
18 .href_url.domain.root_domain in (
19 "hubspotlinks.com",
20 "mandrillapp.com",
21 "sendgrid.net",
22 "rs6.net"
23 )
24
25 // Google AMP redirect
26 or (
27 .href_url.domain.sld == "google"
28 and strings.starts_with(.href_url.path, "/amp/")
29 )
30
31 // Recipient email address in link
32 or any(body.links,
33 any(recipients.to,
34 strings.icontains(..href_url.url, .email.email)
35 and any(recipients.to, .email.domain.valid)
36 )
37 )
38 or .href_url.domain.root_domain == "beehiiv.com"
39 )
40
41 // exclude sources of potential FPs
42 and (
43 .href_url.domain.root_domain not in (
44 "svc.ms",
45 "sharepoint.com",
46 "1drv.ms",
47 "microsoft.com",
48 "aka.ms",
49 "msftauthimages.net",
50 "mimecastprotect.com",
51 "office.com",
52 "microsoftproject.com"
53 )
54 or any(body.links, .href_url.domain.domain in $free_file_hosts)
55 )
56 and .href_url.domain.root_domain not in $org_domains
57 and .href_url.domain.valid
58 and regex.icontains(.display_text,
59 "(go.?to|view|show|display|access) (team|planner|group|task)"
60 )
61 )
62
63 // not a reply
64 and (
65 length(headers.references) == 0
66 or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
67 )
68
69 // Planner logo
70 // LogoDetect coming soon
71 and (
72 all(attachments,
73 .file_type in $file_types_images
74 and any(file.explode(.),
75 // small, relatively square image
76 (
77 .scan.exiftool.image_height / .scan.exiftool.image_width
78 ) > 0.9
79 and (.scan.exiftool.image_height + .scan.exiftool.image_width) < 500
80 )
81 )
82 )
83
84 // suspicious content
85 and (
86 2 of (
87 strings.ilike(body.current_thread.text, "*assigned*new team*"),
88 strings.ilike(body.current_thread.text, "*Microsoft Office 365*"),
89 strings.ilike(body.current_thread.text, "*internal planner*")
90 )
91 or (
92 any(ml.nlu_classifier(body.current_thread.text).intents,
93 .name == "cred_theft" and .confidence in~ ("medium", "high")
94 )
95 )
96 )
97 and sender.email.domain.root_domain not in (
98 "bing.com",
99 "microsoft.com",
100 "microsoftonline.com",
101 "microsoftproject.com",
102 "microsoftstoreemail.com",
103 "microsoftsupport.com",
104 "microsoft365.com",
105 "office.com",
106 "office365.com",
107 "onedrive.com",
108 "sharepointonline.com",
109 "yammer.com",
110 )
111
112 // negate highly trusted sender domains unless they fail DMARC authentication
113 and (
114 (
115 sender.email.domain.root_domain in $high_trust_sender_root_domains
116 and not headers.auth_summary.dmarc.pass
117 )
118 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
119 )
120 and (
121 not profile.by_sender().solicited
122 or (
123 profile.by_sender().any_messages_malicious_or_spam
124 and not profile.by_sender().any_false_positives
125 )
126 )
127 and not profile.by_sender().any_false_positives
128
129 // exclude marketing jargon from ms partners
130 and not regex.icontains(body.current_thread.text,
131 '(schedul(e|ing)|set up).{0,20}(call|meeting|demo|zoom|conversation|time|tool|discussion)|book.{0,10}(meeting|demo|call|slot|time)|connect.{0,12}(with me|phone|email)|my.{0,10}(calendar|cal)|reserve.{0,10}s[pl]ot|break the ice|want to know more?|miss your chance|if you no longer wish|if you no longer want|if you wish to opt out|low-code (development|approach|solution|journey|platform)|invite.{0,30}(webinar|presentation)'
132 )
133
134attack_types:
135 - "Credential Phishing"
136tactics_and_techniques:
137 - "Evasion"
138 - "Image as content"
139 - "Impersonation: Brand"
140 - "Social engineering"
141detection_methods:
142 - "Content analysis"
143 - "Header analysis"
144 - "Natural Language Understanding"
145 - "Sender analysis"
146 - "URL analysis"
147id: "ea363c08-479f-5437-9b5d-3d9e07098200"