Brand impersonation: Microsoft

calendar Sep 2, 2025  ·
Share on: linkedin copy

Impersonation of the Microsoft brand.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Microsoft"
  2description: |
  3    Impersonation of the Microsoft brand.
  4references:
  5  - "https://www.itproportal.com/news/cybercriminals-launch-targeted-phishing-attacks-against-microsoft-365-users/"
  6  - "https://cofense.com/blog/office-365-phishing-variant/"
  7  - "https://www.helpnetsecurity.com/2020/05/04/fake-microsoft-teams-notification/"
  8type: "rule"
  9severity: "high"
 10authors:
 11  - twitter: "amitchell516"
 12source: |
 13  type.inbound
 14  and (
 15    length(body.links) < 30
 16    or sender.email.local_part == "newsletter" and length(body.links) < 5
 17  )
 18  and (
 19    (
 20      strings.ilike(subject.subject, '*Microsoft 365*')
 21      and strings.ilike(subject.subject, '*is expired*')
 22    )
 23    or (
 24      // should catch any instance of the word "expired"
 25      strings.ilike(body.current_thread.text, "*expir*")
 26      and strings.ilike(body.current_thread.text, "*password*")
 27      and strings.ilike(body.current_thread.text, "*microsoft*")
 28    )
 29    or regex.icontains(body.current_thread.text,
 30                       ".*reach you.{0,20}Microsoft Teams"
 31    )
 32    or strings.ilike(sender.display_name, '*new activity in Teams*')
 33    or strings.icontains(strings.replace_confusables(sender.display_name),
 34                         'microsoft advertising support'
 35    )
 36    or subject.subject =~ 'Offline Message in Teams'
 37    or strings.ilike(subject.subject, '*Teams Sent A Message')
 38    or sender.display_name in~ (
 39      'Microsoft Partner Network',
 40      'Microsoft Advertising',
 41      'Microsoft',
 42      'Microsoft Feedback',
 43      'Microsoft account team',
 44      'Microsoft Support',
 45      'Microsoft 365 Message center',
 46      'Microsoft Azure'
 47    )
 48    or regex.icontains(sender.display_name,
 49                       "[MḾṀṂⱮМḿṁṃᵯⱮ𝐌𝑀][iíìîïīĭĩįıɪɨᵢⁱ𝐢𝑖][cćĉċčçƈȼ𝐜𝑐][rŕŗřȑȓɾᵣⁿʳ𝐫𝑟][oóòôõöøōŏőɵₒᵒº𝐨𝑜][sśŝšșşʂᵴˢˢ𝐬𝑠][oóòôõöøōŏőɵₒᵒº𝐨𝑜][fḟƒᵮᶠ𝐟𝑓][tťțţᵵₜᵗᵗ𝐭𝑡]"
 50    )
 51    or regex.icontains(sender.display_name,
 52                       "[MḾṀṂⱮМḿṁṃᵯⱮ𝐌𝑀][iíìîïīĭĩįıɪɨᵢⁱ𝐢𝑖][rŕŗřȑȓɾᵣⁿʳ𝐫𝑟][cćĉċčçƈȼ𝐜𝑐][oóòôõöøōŏőɵₒᵒº𝐨𝑜][sśŝšșşʂᵴˢˢ𝐬𝑠][oóòôõöøōŏőɵₒᵒº𝐨𝑜][fḟƒᵮᶠ𝐟𝑓][tťțţᵵₜᵗᵗ𝐭𝑡]" // [sic]
 53    )
 54  )
 55  and sender.email.domain.root_domain not in~ (
 56    'microsoft.com',
 57    'microsoftstoreemail.com',
 58    'microsoftsupport.com',
 59    'office.com',
 60    'teams-events.com',
 61    'qualtrics-research.com',
 62    'skype.com',
 63    'azureadnotifications.us',
 64    'microsoftonline.us',
 65    'mail.microsoft',
 66    'office365.com'
 67  )
 68  and not (
 69    sender.email.domain.domain in~ (
 70      'microsoft.regsvc.com',
 71      'microsoft.onmicrosoft.com'
 72    )
 73    and headers.auth_summary.dmarc.pass
 74  )
 75  and (
 76    profile.by_sender().prevalence in ("new", "outlier")
 77    or (
 78      profile.by_sender().any_messages_malicious_or_spam
 79      and not profile.by_sender().any_messages_benign
 80    )
 81  )
 82  
 83  // negate legitimate Office 365 bouncebacks
 84  and not (
 85    all(attachments,
 86        .content_type in ("message/delivery-status", "message/rfc822")
 87    )
 88    and (
 89      sender.email.local_part in ('postmaster', 'mailer-daemon')
 90      or strings.starts_with(sender.email.local_part, 'microsoftexchange')
 91    )
 92    and (
 93      strings.contains(subject.subject, 'Undeliverable:')
 94      or strings.contains(subject.subject, 'Blocked:')
 95      or strings.contains(subject.subject, 'Não é possível entregar:')
 96    )
 97  )
 98  
 99  // negate other legitimate MS notifications
100  and not (
101    length(body.links) > 0
102    and all(body.links,
103            .href_url.domain.root_domain in (
104              "aka.ms",
105              "microsoftonline.com",
106              "microsoft.com"
107            )
108            or .href_url.domain.tld == "microsoft"
109    )
110    and headers.auth_summary.dmarc.pass
111  )
112  
113  // negate highly trusted sender domains unless they fail DMARC authentication
114  and (
115    (
116      sender.email.domain.root_domain in $high_trust_sender_root_domains
117      and not headers.auth_summary.dmarc.pass
118    )
119    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
120  )
121  // not a newsletter or advertisement
122  and not any(beta.ml_topic(body.current_thread.text).topics,
123              .name in ("Newsletters and Digests")
124              and .confidence == "high"
125              and (
126                any(body.links,
127                    strings.icontains(.display_text, "unsubscribe")
128                    and (strings.icontains(.href_url.path, "unsubscribe"))
129                )
130              )
131  )  
132
133attack_types:
134  - "Credential Phishing"
135tactics_and_techniques:
136  - "Impersonation: Brand"
137  - "Social engineering"
138detection_methods:
139  - "Content analysis"
140  - "Sender analysis"
141id: "6e2f04e6-b607-5e36-9015-d39c98265579"
to-top