Brand impersonation: SharePoint PDF attachment with credential theft language
PDF attachment contains SharePoint logo and high-confidence credential theft language detected via OCR analysis. The attachment includes URLs and originates from an unsolicited or low-reputation sender, excluding legitimate SharePoint file sharing notifications.
Sublime rule (View on GitHub)
1name: "Brand impersonation: SharePoint PDF attachment with credential theft language"
2description: "PDF attachment contains SharePoint logo and high-confidence credential theft language detected via OCR analysis. The attachment includes URLs and originates from an unsolicited or low-reputation sender, excluding legitimate SharePoint file sharing notifications."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 any(attachments,
9 (
10 .file_type == "pdf"
11 and any(ml.logo_detect(.).brands, .name == "Microsoft SharePoint")
12 and any(file.explode(.), length(.scan.url.urls) > 0)
13 and any(file.explode(.),
14 any(ml.nlu_classifier(.scan.ocr.raw).intents,
15 .name == "cred_theft" and .confidence == "high"
16 )
17 )
18 )
19 )
20 )
21 // negate sharepoint file share
22 and not (
23 // based on the message id format
24 (
25 (
26 strings.starts_with(headers.message_id, '<Share-')
27 and strings.ends_with(headers.message_id, '@odspnotify>')
28 )
29 or // negate legitimate access request to file
30 (
31 strings.starts_with(headers.message_id, '<Sharing')
32 and strings.ends_with(headers.message_id, '@odspnotify>')
33 )
34 // deal with Google thinking the message ID is "broke"
35 or (
36 strings.icontains(headers.message_id, 'SMTPIN_ADDED_BROKEN')
37 and any(headers.hops,
38 any(.fields,
39 .name == "X-Google-Original-Message-ID"
40 and strings.starts_with(.value, '<Share-')
41 and strings.ends_with(.value, '@odspnotify>')
42 )
43 )
44 )
45 )
46 // all of the "action" links are sharepoint/ms
47 and all(filter(body.links,
48 strings.icontains(subject.subject, .display_text)
49 or .display_text == "Open"
50 ),
51 .href_url.domain.root_domain in ("sharepoint.com")
52 or (
53 .href_url.domain.tld == "ms"
54 // Microsoft does not own the .ms TLD, this checks to ensure it is one of their domains
55 and (
56 network.whois(.href_url.domain).registrant_company == "Microsoft Corporation"
57 or strings.ilike(network.whois(.href_url.domain).registrar_name,
58 "*MarkMonitor*",
59 "*CSC Corporate*",
60 "*com laude*"
61 )
62 )
63 )
64 )
65 )
66 and not (
67 (
68 (subject.is_reply or subject.is_forward)
69 and (
70 (length(headers.references) > 0 or headers.in_reply_to is not null)
71 // ensure that there are actual threads
72 and (
73 length(body.previous_threads) > 0
74 or (length(body.html.display_text) - length(body.current_thread.text)) > 200
75 )
76 )
77 )
78 )
79 and (
80 profile.by_sender_email().prevalence != 'common'
81 or not profile.by_sender_email().solicited
82 or profile.by_sender().any_messages_malicious_or_spam
83 )
84 and not profile.by_sender().any_messages_benign
85
86 // negate highly trusted sender domains unless they fail DMARC authentication
87 and (
88 (
89 sender.email.domain.root_domain in $high_trust_sender_root_domains
90 and not headers.auth_summary.dmarc.pass
91 )
92 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
93 )
94
95attack_types:
96 - "Credential Phishing"
97tactics_and_techniques:
98 - "Impersonation: Brand"
99 - "Social engineering"
100 - "PDF"
101 - "Evasion"
102detection_methods:
103 - "Computer Vision"
104 - "File analysis"
105 - "Natural Language Understanding"
106 - "Optical Character Recognition"
107 - "Sender analysis"
108 - "URL analysis"
109 - "Header analysis"
110 - "Whois"
111id: "ae3756fa-3751-5fba-b68d-d91164fd359c"