Brand impersonation: Microsoft

calendar Jan 10, 2025  ยท
Share on: linkedin copy

Impersonation of the Microsoft brand.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Microsoft"
 2description: |
 3    Impersonation of the Microsoft brand.
 4references:
 5  - "https://www.itproportal.com/news/cybercriminals-launch-targeted-phishing-attacks-against-microsoft-365-users/"
 6  - "https://cofense.com/blog/office-365-phishing-variant/"
 7  - "https://www.helpnetsecurity.com/2020/05/04/fake-microsoft-teams-notification/"
 8type: "rule"
 9severity: "high"
10authors:
11  - twitter: "amitchell516"
12source: |
13  type.inbound
14  and (
15    length(body.links) < 30
16    or sender.email.local_part == "newsletter" and length(body.links) < 5
17  )
18  and (
19    (
20      strings.ilike(subject.subject, '*Microsoft 365*')
21      and strings.ilike(subject.subject, '*is expired*')
22    )
23    or (
24      // should catch any instance of the word "expired"
25      strings.ilike(body.current_thread.text, "*expir*")
26      and strings.ilike(body.current_thread.text, "*password*")
27      and strings.ilike(body.current_thread.text, "*microsoft*")
28    )
29    or regex.icontains(body.current_thread.text,
30                       ".*reach you.{0,20}Microsoft Teams"
31    )
32    or strings.ilike(sender.display_name, '*new activity in Teams*')
33    or subject.subject =~ 'Offline Message in Teams'
34    or strings.ilike(subject.subject, '*Teams Sent A Message')
35    or sender.display_name in~ (
36      'Microsoft Partner Network',
37      'Microsoft',
38      'Microsoft Feedback',
39      'Microsoft account team',
40      'Microsoft Support',
41      'Microsoft 365 Message center',
42      'Microsoft Azure'
43    )
44  )
45  and sender.email.domain.root_domain not in~ (
46    'microsoft.com',
47    'microsoftstoreemail.com',
48    'microsoftsupport.com',
49    'office.com',
50    'teams-events.com',
51    'qualtrics-research.com',
52    'skype.com'
53  )
54  and (
55    profile.by_sender().prevalence in ("new", "outlier")
56    or (
57      profile.by_sender().any_messages_malicious_or_spam
58      and not profile.by_sender().any_false_positives
59    )
60  )
61
62  // negate legitimate Office 365 bouncebacks
63  and not (
64    all(attachments,
65        .content_type in ("message/delivery-status", "message/rfc822")
66    )
67    and (sender.email.local_part in ('postmaster', 'mailer-daemon'))
68    and strings.contains(subject.subject, 'Undeliverable:')
69  )
70  
71  // negate highly trusted sender domains unless they fail DMARC authentication
72  and (
73    (
74      sender.email.domain.root_domain in $high_trust_sender_root_domains
75      and not headers.auth_summary.dmarc.pass
76    )
77    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
78  )  
79
80attack_types:
81  - "Credential Phishing"
82tactics_and_techniques:
83  - "Impersonation: Brand"
84  - "Social engineering"
85detection_methods:
86  - "Content analysis"
87  - "Sender analysis"
88id: "6e2f04e6-b607-5e36-9015-d39c98265579"
to-top