Brand impersonation: Microsoft

calendar Feb 3, 2026  ·
Share on: linkedin copy

Impersonation of the Microsoft brand.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Microsoft"
  2description: |
  3    Impersonation of the Microsoft brand.
  4references:
  5  - "https://www.itproportal.com/news/cybercriminals-launch-targeted-phishing-attacks-against-microsoft-365-users/"
  6  - "https://cofense.com/blog/office-365-phishing-variant/"
  7  - "https://www.helpnetsecurity.com/2020/05/04/fake-microsoft-teams-notification/"
  8type: "rule"
  9severity: "high"
 10authors:
 11  - twitter: "amitchell516"
 12source: |
 13  type.inbound
 14  and (
 15    length(body.links) < 30
 16    or sender.email.local_part == "newsletter" and length(body.links) < 5
 17  )
 18  and (
 19    (
 20      strings.ilike(subject.subject, '*Microsoft 365*')
 21      and strings.ilike(subject.subject, '*is expired*')
 22    )
 23    or (
 24      // should catch any instance of the word "expired"
 25      strings.ilike(body.current_thread.text, "*expir*")
 26      and strings.ilike(body.current_thread.text, "*password*")
 27      and strings.ilike(body.current_thread.text, "*microsoft*")
 28    )
 29    or regex.icontains(body.current_thread.text,
 30                       ".*reach you.{0,20}Microsoft Teams"
 31    )
 32    or strings.icontains(body.current_thread.text, "microsoft account team")
 33    or strings.ilike(sender.display_name, '*new activity in Teams*')
 34    or strings.icontains(strings.replace_confusables(sender.display_name),
 35                         'microsoft advertising support'
 36    )
 37    or subject.subject =~ 'Offline Message in Teams'
 38    or strings.ilike(subject.subject, '*Teams Sent A Message')
 39    or sender.display_name in~ (
 40      'Microsoft Partner Network',
 41      'Microsoft Advertising',
 42      'Microsoft',
 43      'Microsoft Feedback',
 44      'Microsoft account team',
 45      'Microsoft Support',
 46      'Microsoft 365 Message center',
 47      'Microsoft Azure'
 48    )
 49    or regex.icontains(sender.display_name,
 50                       "[MḾṀṂⱮМḿṁṃᵯⱮ𝐌𝑀][iíìîïīĭĩįıɪɨᵢⁱ𝐢𝑖][cćĉċčçƈȼ𝐜𝑐][rŕŗřȑȓɾᵣⁿʳ𝐫𝑟][oóòôõöøōŏőɵₒᵒº𝐨𝑜][sśŝšșşʂᵴˢˢ𝐬𝑠][oóòôõöøōŏőɵₒᵒº𝐨𝑜][fḟƒᵮᶠ𝐟𝑓][tťțţᵵₜᵗᵗ𝐭𝑡]"
 51    )
 52    or regex.icontains(sender.display_name,
 53                       "[MḾṀṂⱮМḿṁṃᵯⱮ𝐌𝑀][iíìîïīĭĩįıɪɨᵢⁱ𝐢𝑖][rŕŗřȑȓɾᵣⁿʳ𝐫𝑟][cćĉċčçƈȼ𝐜𝑐][oóòôõöøōŏőɵₒᵒº𝐨𝑜][sśŝšșşʂᵴˢˢ𝐬𝑠][oóòôõöøōŏőɵₒᵒº𝐨𝑜][fḟƒᵮᶠ𝐟𝑓][tťțţᵵₜᵗᵗ𝐭𝑡]" // [sic]
 54    )
 55  )
 56  and not (
 57    sender.email.domain.root_domain in~ (
 58      'microsoft.com',
 59      'microsoftstoreemail.com',
 60      'microsoftsupport.com',
 61      'office.com',
 62      'teams-events.com',
 63      'qualtrics-research.com',
 64      'skype.com',
 65      'azureadnotifications.us',
 66      'microsoftonline.us',
 67      'mail.microsoft',
 68      'office365.com',
 69      'microsoftadvertising.com'
 70    )
 71    and headers.auth_summary.dmarc.pass
 72  )
 73  and not (
 74    sender.email.domain.domain in~ (
 75      'microsoft.regsvc.com',
 76      'microsoft.onmicrosoft.com'
 77    )
 78    and headers.auth_summary.dmarc.pass
 79  )
 80  and (
 81    profile.by_sender().prevalence in ("new", "outlier")
 82    or (
 83      profile.by_sender().any_messages_malicious_or_spam
 84      and not profile.by_sender().any_messages_benign
 85    )
 86  )
 87  
 88  // negate legitimate Office 365 bouncebacks
 89  and not (
 90    all(attachments,
 91        .content_type in ("message/delivery-status", "message/rfc822")
 92    )
 93    and (
 94      sender.email.local_part in ('postmaster', 'mailer-daemon')
 95      or strings.starts_with(sender.email.local_part, 'microsoftexchange')
 96    )
 97    and (
 98      strings.contains(subject.subject, 'Undeliverable:')
 99      or strings.contains(subject.subject, 'Blocked:')
100      or strings.contains(subject.subject, 'Não é possível entregar:')
101    )
102  )
103  
104  // negate other legitimate MS notifications
105  and not (
106    length(body.links) > 0
107    and all(body.links,
108            .href_url.domain.root_domain in (
109              "aka.ms",
110              "microsoftonline.com",
111              "microsoft.com"
112            )
113            or .href_url.domain.tld == "microsoft"
114    )
115    and headers.auth_summary.dmarc.pass
116  )
117  
118  // negate highly trusted sender domains unless they fail DMARC authentication
119  and (
120    (
121      sender.email.domain.root_domain in $high_trust_sender_root_domains
122      and not headers.auth_summary.dmarc.pass
123    )
124    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
125  )
126  // not a newsletter or advertisement
127  and not (
128    any(ml.nlu_classifier(body.current_thread.text).topics,
129        .name in ("Newsletters and Digests") and .confidence == "high"
130    )
131    and (
132      any(body.links,
133          strings.icontains(.display_text, "unsubscribe")
134          and (strings.icontains(.href_url.path, "unsubscribe"))
135      )
136    )
137  )  
138
139attack_types:
140  - "Credential Phishing"
141tactics_and_techniques:
142  - "Impersonation: Brand"
143  - "Social engineering"
144detection_methods:
145  - "Content analysis"
146  - "Sender analysis"
147id: "6e2f04e6-b607-5e36-9015-d39c98265579"
to-top