Credential phishing: Onedrive impersonation

This rule detects messages impersonating Microsoft's OneDrive service with medium to high credential theft language in the current thread. The subject is inspected for one drive language, with additional checks for free_subdomain hosted links, additional suspicious subject language or suspicious display text language.

Sublime rule (View on GitHub)

  1name: "Credential phishing: Onedrive impersonation"
  2description: "This rule detects messages impersonating Microsoft's OneDrive service with medium to high credential theft language in the current thread. The subject is inspected for one drive language, with additional checks for free_subdomain hosted links, additional suspicious subject language or suspicious display text language."
  3type: "rule"
  4severity: "high"
  5source: |
  6  type.inbound
  7  // one drive is found in the sender display name or sender local part
  8  and (
  9    (
 10      regex.icontains(sender.display_name, '[0o]ne\s?dr[il1]ve')
 11      or regex.icontains(sender.email.local_part, '[0o]ne\s?dr[il1]ve')
 12      or 0 < strings.ilevenshtein(strings.replace_confusables(sender.display_name),
 13                                  "one?drive"
 14      ) < 2
 15      or any(attachments,
 16             (
 17               regex.icontains(.file_name, '[0o]ne\s?dr[il1]ve')
 18               and not any(file.explode(.),
 19                           any(.scan.exiftool.fields,
 20                               .key == "Model"
 21                               or (
 22                                 .key == "Software"
 23                                 and strings.starts_with(.value, "Android")
 24                               )
 25                           )
 26                           // exclude images taken with mobile cameras and screenshots from Apple
 27                           or any(.scan.exiftool.fields,
 28                                  .key == "DeviceManufacturer"
 29                                  and .value == "Apple Computer Inc."
 30                           )
 31               )
 32             )
 33             // pdf with OneDrive impersonation
 34             or (
 35               .file_type == "pdf"
 36               and any(ml.logo_detect(.).brands, .name == "Microsoft")
 37               and any(file.explode(.),
 38                       any(.scan.strings.strings,
 39                           strings.icontains(., "shared a file")
 40                       )
 41               )
 42             )
 43      )
 44    )
 45    or regex.imatch(strings.replace_confusables(body.current_thread.text),
 46                    '[0o]ne\s?dr[il1]ve.*'
 47    )
 48    // or one drive is in the subject with a freefile host, additional suspicious language, or suspicious display text
 49    or (
 50      regex.icontains(strings.replace_confusables(subject.subject),
 51                      '[0o]ne\s?dr[il1]ve'
 52      )
 53      and (
 54        any(body.links,
 55            .href_url.domain.root_domain in $free_subdomain_hosts
 56            and .href_url.domain.subdomain is not null
 57            and .href_url.domain.subdomain != "www"
 58        )
 59        or regex.contains(subject.subject, '(shared.{0,30}document)')
 60        or any(body.links,
 61               regex.icontains(.display_text,
 62                               "((view|show|access).(?:report|document)|review doc|view doc|view.attached)"
 63               )
 64        )
 65      )
 66    )
 67    or (
 68      any(ml.nlu_classifier(body.current_thread.text).topics,
 69          .name == "File Sharing and Cloud Services" and .confidence == "high"
 70      )
 71      // more than half of the links with display text contain the keyword "onedrive"
 72      and ratio(filter(body.links, .display_text is not null),
 73                regex.icontains(.display_text, '[0o]ne\s?dr[il1]ve')
 74      ) > 0.5
 75    )
 76    or (
 77      any(body.current_thread.links,
 78          any(ml.logo_detect(ml.link_analysis(.).screenshot).brands,
 79              .name == "Microsoft OneDrive" and .confidence in ("medium", "high")
 80          )
 81          and ml.link_analysis(.).effective_url.domain.root_domain in $free_subdomain_hosts
 82      )
 83      and regex.icontains(body.current_thread.text, '[0o]ne\s?dr[il1]ve')
 84    )
 85  )
 86  // and body language is med/high confidence cred theft
 87  and (
 88    any(ml.nlu_classifier(body.current_thread.text).intents,
 89        .name == "cred_theft" and .confidence in ("medium", "high")
 90    )
 91    or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
 92           .name == "cred_theft" and .confidence in ("medium", "high")
 93    )
 94    or any(body.current_thread.links,
 95           ml.link_analysis(.).credphish.disposition == "phishing"
 96    )
 97  )
 98  and length(body.links) < 10
 99  and not (
100    sender.email.domain.root_domain in (
101      "bing.com",
102      "microsoft.com",
103      "microsoftonline.com",
104      "microsoftsupport.com",
105      "microsoft365.com",
106      "office.com",
107      "onedrive.com",
108      "sharepointonline.com",
109      "yammer.com",
110    )
111    and coalesce(headers.auth_summary.dmarc.pass, false)
112  )
113  // negate highly trusted sender domains unless they fail DMARC authentication
114  and not (
115    sender.email.domain.root_domain in $high_trust_sender_root_domains
116    and coalesce(headers.auth_summary.dmarc.pass, false)
117  )
118  // excludes docusign senders that contain "via" in the display name
119  and not (
120    any(headers.hops,
121        any(.fields,
122            .name == "X-Api-Host" and strings.ends_with(.value, "docusign.net")
123        )
124    )
125    and strings.contains(sender.display_name, "via")
126  )
127  and not profile.by_sender().any_messages_benign  
128attack_types:
129  - "Credential Phishing"
130tactics_and_techniques:
131  - "Free subdomain host"
132  - "Impersonation: Brand"
133  - "Social engineering"
134detection_methods:
135  - "Content analysis"
136  - "Header analysis"
137  - "Natural Language Understanding"
138  - "URL analysis"
139id: "1f990c92-a6d5-5a0b-9462-ac469a8d556e"
to-top