Credential phishing: Onedrive impersonation

calendar Feb 3, 2025  ·
Share on: linkedin copy

This rule detects messages impersonating Microsoft's OneDrive service with medium to high credential theft language in the current thread. The subject is inspected for one drive language, with additional checks for free_subdomain hosted links, additional suspicious subject language or suspicious display text language.

Sublime rule (View on GitHub)

 1name: "Credential phishing: Onedrive impersonation"
 2description: "This rule detects messages impersonating Microsoft's OneDrive service with medium to high credential theft language in the current thread. The subject is inspected for one drive language, with additional checks for free_subdomain hosted links, additional suspicious subject language or suspicious display text language."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  // one drive is found in the sender display name or sender local part
 8  and (
 9    (
10      regex.icontains(sender.display_name, '[0o]ne\s?dr[il1]ve')
11      or regex.icontains(sender.email.local_part, '[0o]ne\s?dr[il1]ve')
12      or 0 < strings.ilevenshtein(strings.replace_confusables(sender.display_name),
13                                  "one?drive"
14      ) < 2
15    )
16    or regex.imatch(body.current_thread.text, '[0o]ne\s?dr[il1]ve.*')
17    // or one drive is in the subject with a freefile host, additional suspicious language, or suspicious display text
18    or (
19      regex.icontains(strings.replace_confusables(subject.subject),
20                      '[0o]ne\s?dr[il1]ve'
21      )
22      and (
23        any(body.links,
24            .href_url.domain.root_domain in $free_subdomain_hosts
25            and .href_url.domain.subdomain is not null
26            and .href_url.domain.subdomain != "www"
27        )
28        or regex.contains(subject.subject, '(shared.{0,30}document)')
29        or any(body.links,
30               regex.icontains(.display_text,
31                               "((view|show|access).(?:report|document)|review doc|view doc|view.attached)"
32               )
33        )
34      )
35    )
36  )
37  
38  // and body language is med/high confidence cred theft
39  and any(ml.nlu_classifier(body.current_thread.text).intents,
40          .name == "cred_theft" and .confidence in ("medium", "high")
41  )
42  and length(body.links) < 10
43  and sender.email.domain.root_domain not in (
44    "bing.com",
45    "microsoft.com",
46    "microsoftonline.com",
47    "microsoftsupport.com",
48    "microsoft365.com",
49    "office.com",
50    "onedrive.com",
51    "sharepointonline.com",
52    "yammer.com",
53  )
54  
55  // negate highly trusted sender domains unless they fail DMARC authentication
56  and (
57    (
58      sender.email.domain.root_domain in $high_trust_sender_root_domains
59      and not headers.auth_summary.dmarc.pass
60    )
61    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
62  )
63  
64  // excludes docusign senders that contain "via" in the display name 
65  and not (
66    any(headers.hops,
67        any(.fields,
68            .name == "X-Api-Host" and strings.ends_with(.value, "docusign.net")
69        )
70    )
71    and strings.contains(sender.display_name, "via")
72  )
73  and not profile.by_sender().solicited
74  and not profile.by_sender().any_false_positives  
75
76attack_types:
77  - "Credential Phishing"
78tactics_and_techniques:
79  - "Free subdomain host"
80  - "Impersonation: Brand"
81  - "Social engineering"
82detection_methods:
83  - "Content analysis"
84  - "Header analysis"
85  - "Natural Language Understanding"
86  - "URL analysis"
87id: "1f990c92-a6d5-5a0b-9462-ac469a8d556e"
to-top