Credential phishing: Onedrive impersonation

calendar Jun 18, 2024  ·
Share on: linkedin copy

This rule detects messages impersonating Microsoft's OneDrive service with medium to high credential theft language in the current thread. The subject is inspected for one drive language, with additional checks for free_subdomain hosted links, additional suspicious subject language or suspicious display text language.

Sublime rule (View on GitHub)

 1name: "Credential phishing: Onedrive impersonation"
 2description: "This rule detects messages impersonating Microsoft's OneDrive service with medium to high credential theft language in the current thread. The subject is inspected for one drive language, with additional checks for free_subdomain hosted links, additional suspicious subject language or suspicious display text language."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  // one drive is found in the sender display name or sender local part
 8  and (
 9    (
10      regex.icontains(sender.display_name, '[0o]ne\s?dr[il1]ve')
11      or regex.icontains(sender.email.local_part, '[0o]ne\s?dr[il1]ve')
12      or 0 < strings.ilevenshtein(strings.replace_confusables(sender.display_name),
13                                  "one?drive"
14      ) < 2
15    )
16    // or one drive is in the subject with a freefile host, additional suspicious language, or suspicious display text
17    or (
18      regex.icontains(strings.replace_confusables(subject.subject),
19                      '[0o]ne\s?dr[il1]ve'
20      )
21      and (
22        any(body.links,
23            .href_url.domain.root_domain in $free_subdomain_hosts
24            and .href_url.domain.subdomain is not null
25            and .href_url.domain.subdomain != "www"
26        )
27        or regex.contains(subject.subject, '(shared.{0,30}document)')
28        or any(body.links,
29               regex.icontains(.display_text,
30                               "((view|show|access).document|review doc|view doc|view.attached)"
31               )
32        )
33      )
34    )
35  )
36  
37  // and body language is med/high confidence cred theft
38  and any(ml.nlu_classifier(body.current_thread.text).intents,
39          .name == "cred_theft" and .confidence in ("medium", "high")
40  )
41  and length(body.links) < 10
42  and sender.email.domain.root_domain not in (
43    "bing.com",
44    "microsoft.com",
45    "microsoftonline.com",
46    "microsoftsupport.com",
47    "microsoft365.com",
48    "office.com",
49    "onedrive.com",
50    "sharepointonline.com",
51    "yammer.com",
52  )
53  
54  // negate highly trusted sender domains unless they fail DMARC authentication
55  and (
56    (
57      sender.email.domain.root_domain in $high_trust_sender_root_domains
58      and not headers.auth_summary.dmarc.pass
59    )
60    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
61  )
62  
63  // excludes docusign senders that contain "via" in the display name 
64  and not (
65    any(headers.hops,
66        any(.fields,
67            .name == "X-Api-Host" and strings.ends_with(.value, "docusign.net")
68        )
69    )
70    and strings.contains(sender.display_name, "via")
71  )
72  and not profile.by_sender().solicited
73  and not profile.by_sender().any_false_positives
74    
75attack_types:
76  - "Credential Phishing"
77tactics_and_techniques:
78  - "Free subdomain host"
79  - "Impersonation: Brand"
80  - "Social engineering"
81detection_methods:
82  - "Content analysis"
83  - "Header analysis"
84  - "Natural Language Understanding"
85  - "URL analysis"
86id: "1f990c92-a6d5-5a0b-9462-ac469a8d556e"
to-top