Brand impersonation: Microsoft
Impersonation of the Microsoft brand.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Microsoft"
2description: |
3 Impersonation of the Microsoft brand.
4references:
5 - "https://www.itproportal.com/news/cybercriminals-launch-targeted-phishing-attacks-against-microsoft-365-users/"
6 - "https://cofense.com/blog/office-365-phishing-variant/"
7 - "https://www.helpnetsecurity.com/2020/05/04/fake-microsoft-teams-notification/"
8type: "rule"
9severity: "high"
10authors:
11 - twitter: "amitchell516"
12source: |
13 type.inbound
14 and (
15 length(body.links) < 30
16 or sender.email.local_part == "newsletter" and length(body.links) < 5
17 )
18 and (
19 (
20 strings.ilike(subject.subject, '*Microsoft 365*')
21 and strings.ilike(subject.subject, '*is expired*')
22 )
23 or (
24 // should catch any instance of the word "expired"
25 strings.ilike(body.current_thread.text, "*expir*")
26 and strings.ilike(body.current_thread.text, "*password*")
27 and strings.ilike(body.current_thread.text, "*microsoft*")
28 )
29 or regex.icontains(body.current_thread.text,
30 ".*reach you.{0,20}Microsoft Teams"
31 )
32 or strings.icontains(body.current_thread.text, "microsoft account team")
33 or strings.ilike(sender.display_name, '*new activity in Teams*')
34 or strings.icontains(strings.replace_confusables(sender.display_name),
35 'microsoft advertising support'
36 )
37 or subject.subject =~ 'Offline Message in Teams'
38 or strings.ilike(subject.subject, '*Teams Sent A Message')
39 or sender.display_name in~ (
40 'Microsoft Partner Network',
41 'Microsoft Advertising',
42 'Microsoft',
43 'Microsoft Feedback',
44 'Microsoft account team',
45 'Microsoft Support',
46 'Microsoft 365 Message center',
47 'Microsoft Azure'
48 )
49 or regex.icontains(sender.display_name,
50 "[MḾṀṂⱮМḿṁṃᵯⱮ𝐌𝑀][iíìîïīĭĩįıɪɨᵢⁱ𝐢𝑖][cćĉċčçƈȼ𝐜𝑐][rŕŗřȑȓɾᵣⁿʳ𝐫𝑟][oóòôõöøōŏőɵₒᵒº𝐨𝑜][sśŝšșşʂᵴˢˢ𝐬𝑠][oóòôõöøōŏőɵₒᵒº𝐨𝑜][fḟƒᵮᶠ𝐟𝑓][tťțţᵵₜᵗᵗ𝐭𝑡]"
51 )
52 or regex.icontains(sender.display_name,
53 "[MḾṀṂⱮМḿṁṃᵯⱮ𝐌𝑀][iíìîïīĭĩįıɪɨᵢⁱ𝐢𝑖][rŕŗřȑȓɾᵣⁿʳ𝐫𝑟][cćĉċčçƈȼ𝐜𝑐][oóòôõöøōŏőɵₒᵒº𝐨𝑜][sśŝšșşʂᵴˢˢ𝐬𝑠][oóòôõöøōŏőɵₒᵒº𝐨𝑜][fḟƒᵮᶠ𝐟𝑓][tťțţᵵₜᵗᵗ𝐭𝑡]" // [sic]
54 )
55 )
56 and not (
57 sender.email.domain.root_domain in~ (
58 'microsoft.com',
59 'microsoftstoreemail.com',
60 'microsoftsupport.com',
61 'office.com',
62 'teams-events.com',
63 'qualtrics-research.com',
64 'skype.com',
65 'azureadnotifications.us',
66 'microsoftonline.us',
67 'mail.microsoft',
68 'office365.com',
69 'microsoftadvertising.com'
70 )
71 and headers.auth_summary.dmarc.pass
72 )
73 and not (
74 sender.email.domain.domain in~ (
75 'microsoft.regsvc.com',
76 'microsoft.onmicrosoft.com'
77 )
78 and headers.auth_summary.dmarc.pass
79 )
80 and (
81 profile.by_sender().prevalence in ("new", "outlier")
82 or (
83 profile.by_sender().any_messages_malicious_or_spam
84 and not profile.by_sender().any_messages_benign
85 )
86 )
87
88 // negate legitimate Office 365 bouncebacks
89 and not (
90 all(attachments,
91 .content_type in ("message/delivery-status", "message/rfc822")
92 )
93 and (
94 sender.email.local_part in ('postmaster', 'mailer-daemon')
95 or strings.starts_with(sender.email.local_part, 'microsoftexchange')
96 )
97 and (
98 strings.contains(subject.subject, 'Undeliverable:')
99 or strings.contains(subject.subject, 'Blocked:')
100 or strings.contains(subject.subject, 'Não é possível entregar:')
101 or strings.contains(subject.subject, 'Nie można dostarczyć:')
102 or strings.contains(subject.subject, 'Non remis :')
103 or strings.contains(subject.subject, 'Teslim edilmez:')
104 or strings.contains(subject.subject, 'No se puede entregar:')
105 )
106 )
107
108 // negate other legitimate MS notifications
109 and not (
110 length(body.links) > 0
111 and all(body.links,
112 .href_url.domain.root_domain in (
113 "aka.ms",
114 "microsoftonline.com",
115 "microsoft.com"
116 )
117 or .href_url.domain.tld == "microsoft"
118 )
119 and headers.auth_summary.dmarc.pass
120 )
121
122 // negate highly trusted sender domains unless they fail DMARC authentication
123 and (
124 (
125 sender.email.domain.root_domain in $high_trust_sender_root_domains
126 and not headers.auth_summary.dmarc.pass
127 )
128 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
129 )
130 // not a newsletter or advertisement
131 and not (
132 any(ml.nlu_classifier(body.current_thread.text).topics,
133 .name in ("Newsletters and Digests") and .confidence == "high"
134 )
135 and (
136 any(body.links,
137 strings.icontains(.display_text, "unsubscribe")
138 and (strings.icontains(.href_url.path, "unsubscribe"))
139 )
140 )
141 )
142
143attack_types:
144 - "Credential Phishing"
145tactics_and_techniques:
146 - "Impersonation: Brand"
147 - "Social engineering"
148detection_methods:
149 - "Content analysis"
150 - "Sender analysis"
151id: "6e2f04e6-b607-5e36-9015-d39c98265579"