Brand impersonation: Microsoft
Impersonation of the Microsoft brand.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Microsoft"
2description: |
3 Impersonation of the Microsoft brand.
4references:
5 - "https://www.itproportal.com/news/cybercriminals-launch-targeted-phishing-attacks-against-microsoft-365-users/"
6 - "https://cofense.com/blog/office-365-phishing-variant/"
7 - "https://www.helpnetsecurity.com/2020/05/04/fake-microsoft-teams-notification/"
8type: "rule"
9severity: "high"
10authors:
11 - twitter: "amitchell516"
12source: |
13 type.inbound
14 and length(body.links) < 30
15 and (
16 (
17 strings.ilike(subject.subject, '*Microsoft 365*')
18 and strings.ilike(subject.subject, '*is expired*')
19 )
20 or (
21 // should catch any instance of the word "expired"
22 strings.ilike(body.current_thread.text, "*expir*")
23 and strings.ilike(body.current_thread.text, "*password*")
24 and strings.ilike(body.current_thread.text, "*microsoft*")
25 )
26 or regex.icontains(body.current_thread.text, ".*reach you.{0,20}Microsoft Teams")
27 or strings.ilike(sender.display_name, '*new activity in Teams*')
28 or subject.subject =~ 'Offline Message in Teams'
29 or strings.ilike(subject.subject, '*Teams Sent A Message')
30 or sender.display_name in~ (
31 'Microsoft Partner Network',
32 'Microsoft',
33 'Microsoft Feedback',
34 'Microsoft account team',
35 'Microsoft Support',
36 'Microsoft 365 Message center',
37 'Microsoft Azure'
38 )
39 )
40 and sender.email.domain.root_domain not in~ (
41 'microsoft.com',
42 'microsoftstoreemail.com',
43 'microsoftsupport.com',
44 'office.com',
45 'teams-events.com',
46 'qualtrics-research.com'
47 )
48 and not sender.email.local_part == "newsletter"
49 and (
50 profile.by_sender().prevalence in ("new", "outlier")
51 or (
52 profile.by_sender().any_messages_malicious_or_spam
53 and not profile.by_sender().any_false_positives
54 )
55 )
56
57 // negate highly trusted sender domains unless they fail DMARC authentication
58 and
59 (
60 (
61 sender.email.domain.root_domain in $high_trust_sender_root_domains
62 and (
63 any(distinct(headers.hops, .authentication_results.dmarc is not null),
64 strings.ilike(.authentication_results.dmarc, "*fail")
65 )
66 )
67 )
68 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
69 )
70
71
72attack_types:
73 - "Credential Phishing"
74tactics_and_techniques:
75 - "Impersonation: Brand"
76 - "Social engineering"
77detection_methods:
78 - "Content analysis"
79 - "Sender analysis"
80id: "6e2f04e6-b607-5e36-9015-d39c98265579"