Brand impersonation: SharePoint PDF attachment with credential theft language
PDF attachment contains SharePoint logo and high-confidence credential theft language detected via OCR analysis. The attachment includes URLs and originates from an unsolicited or low-reputation sender, excluding legitimate SharePoint file sharing notifications.
Sublime rule (View on GitHub)
1name: "Brand impersonation: SharePoint PDF attachment with credential theft language"
2description: "PDF attachment contains SharePoint logo and high-confidence credential theft language detected via OCR analysis. The attachment includes URLs and originates from an unsolicited or low-reputation sender, excluding legitimate SharePoint file sharing notifications."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 any(attachments,
9 (
10 .file_type == "pdf"
11 and any(ml.logo_detect(.).brands,
12 .name == "Microsoft SharePoint"
13 and any(attachments,
14 any(file.explode(.), length(.scan.url.urls) > 0)
15 )
16 )
17 and any(file.explode(.),
18 any(ml.nlu_classifier(.scan.ocr.raw).intents,
19 .name == "cred_theft" and .confidence == "high"
20 )
21 )
22 )
23 )
24 )
25 // negate sharepoint file share
26 and not (
27 // based on the message id format
28 (
29 (
30 strings.starts_with(headers.message_id, '<Share-')
31 and strings.ends_with(headers.message_id, '@odspnotify>')
32 )
33 or // negate legitimate access request to file
34 (
35 strings.starts_with(headers.message_id, '<Sharing')
36 and strings.ends_with(headers.message_id, '@odspnotify>')
37 )
38 // deal with Google thinking the message ID is "broke"
39 or (
40 strings.icontains(headers.message_id, 'SMTPIN_ADDED_BROKEN')
41 and any(headers.hops,
42 any(.fields,
43 .name == "X-Google-Original-Message-ID"
44 and strings.starts_with(.value, '<Share-')
45 and strings.ends_with(.value, '@odspnotify>')
46 )
47 )
48 )
49 )
50 // all of the "action" links are sharepoint/ms
51 and all(filter(body.links,
52 strings.icontains(subject.subject, .display_text)
53 or .display_text == "Open"
54 ),
55 .href_url.domain.root_domain in ("sharepoint.com")
56 or (
57 .href_url.domain.tld == "ms"
58 // Microsoft does not own the .ms TLD, this checks to ensure it is one of their domains
59 and (
60 network.whois(.href_url.domain).registrant_company == "Microsoft Corporation"
61 or strings.ilike(network.whois(.href_url.domain).registrar_name,
62 "*MarkMonitor*",
63 "*CSC Corporate*",
64 "*com laude*"
65 )
66 )
67 )
68 )
69 )
70 and not (
71 (
72 (subject.is_reply or subject.is_forward)
73 and (
74 (length(headers.references) > 0 or headers.in_reply_to is not null)
75 // ensure that there are actual threads
76 and (
77 length(body.previous_threads) > 0
78 or (length(body.html.display_text) - length(body.current_thread.text)) > 200
79 )
80 )
81 )
82 )
83 and (
84 profile.by_sender_email().prevalence != 'common'
85 or not profile.by_sender_email().solicited
86 or profile.by_sender().any_messages_malicious_or_spam
87 )
88 and not profile.by_sender().any_messages_benign
89
90 // negate highly trusted sender domains unless they fail DMARC authentication
91 and (
92 (
93 sender.email.domain.root_domain in $high_trust_sender_root_domains
94 and not headers.auth_summary.dmarc.pass
95 )
96 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
97 )
98
99attack_types:
100 - "Credential Phishing"
101tactics_and_techniques:
102 - "Impersonation: Brand"
103 - "Social engineering"
104 - "PDF"
105 - "Evasion"
106detection_methods:
107 - "Computer Vision"
108 - "File analysis"
109 - "Natural Language Understanding"
110 - "Optical Character Recognition"
111 - "Sender analysis"
112 - "URL analysis"
113 - "Header analysis"
114 - "Whois"
115id: "ae3756fa-3751-5fba-b68d-d91164fd359c"