Brand impersonation: Google using Microsoft Forms

calendar Aug 21, 2023  ยท
Share on: linkedin copy

Abuses Microsoft Forms to impersonate Google.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Google using Microsoft Forms"
 2description: |
 3    Abuses Microsoft Forms to impersonate Google.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and sender.email.domain.domain == 'email.formspro.microsoft.com'
 9  and regex.icontains(sender.display_name, '(google|gmail)')
10  and regex.icontains(sender.display_name, '(alert|warning|notification)')
11  // MsgID does not contain Google|Gmail|GoogleMail
12  and not regex.icontains(headers.message_id, '(mail|mx)?\.?(google(mail)?|gmail.com)')
13  and (
14    any(body.links, .href_url.domain.root_domain not in $tranco_1m)
15    or strings.ilike(body.html.display_text,
16                     "*suspicious activities*",
17                     "*failure to secure*",
18                     "*loose your*",
19                     "*suspended*"
20    )
21  )  
22attack_types:
23  - "Credential Phishing"
24tactics_and_techniques:
25  - "Impersonation: Brand"
26  - "Lookalike domain"
27  - "Social engineering"
28detection_methods:
29  - "Content analysis"
30  - "Header analysis"
31  - "Sender analysis"
32id: "1daac608-66f7-5d0a-ab0f-ff9902ddabb7"
to-top