Brand impersonation: Google using Microsoft Forms

calendar Jan 12, 2026  ยท
Share on: linkedin copy

Abuses Microsoft Forms to impersonate Google.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Google using Microsoft Forms"
 2description: |
 3    Abuses Microsoft Forms to impersonate Google.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and sender.email.domain.domain == 'email.formspro.microsoft.com'
 9  and regex.icontains(sender.display_name, '(google|gmail)')
10  and regex.icontains(sender.display_name, '(alert|warning|notification)')
11  // MsgID does not contain Google|Gmail|GoogleMail
12  and not regex.icontains(headers.message_id,
13                          '(mail|mx)?\.?(google(mail)?|gmail.com)'
14  )
15  and (
16    any(body.links, .href_url.domain.root_domain not in $tranco_1m)
17    or strings.ilike(body.html.display_text,
18                     "*suspicious activities*",
19                     "*failure to secure*",
20                     "*loose your*",
21                     "*suspended*"
22    )
23  )  
24attack_types:
25  - "Credential Phishing"
26tactics_and_techniques:
27  - "Impersonation: Brand"
28  - "Lookalike domain"
29  - "Social engineering"
30detection_methods:
31  - "Content analysis"
32  - "Header analysis"
33  - "Sender analysis"
34id: "1daac608-66f7-5d0a-ab0f-ff9902ddabb7"
to-top