Brand impersonation: Google using Microsoft Forms
Abuses Microsoft Forms to impersonate Google.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Google using Microsoft Forms"
2description: |
3 Abuses Microsoft Forms to impersonate Google.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and sender.email.domain.domain == 'email.formspro.microsoft.com'
9 and regex.icontains(sender.display_name, '(google|gmail)')
10 and regex.icontains(sender.display_name, '(alert|warning|notification)')
11 // MsgID does not contain Google|Gmail|GoogleMail
12 and not regex.icontains(headers.message_id, '(mail|mx)?\.?(google(mail)?|gmail.com)')
13 and (
14 any(body.links, .href_url.domain.root_domain not in $tranco_1m)
15 or strings.ilike(body.html.display_text,
16 "*suspicious activities*",
17 "*failure to secure*",
18 "*loose your*",
19 "*suspended*"
20 )
21 )
22attack_types:
23 - "Credential Phishing"
24tactics_and_techniques:
25 - "Impersonation: Brand"
26 - "Lookalike domain"
27 - "Social engineering"
28detection_methods:
29 - "Content analysis"
30 - "Header analysis"
31 - "Sender analysis"
32id: "1daac608-66f7-5d0a-ab0f-ff9902ddabb7"