Brand impersonation: Microsoft

calendar Jul 3, 2024  ยท
Share on: linkedin copy

Impersonation of the Microsoft brand.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Microsoft"
 2description: |
 3    Impersonation of the Microsoft brand.
 4references:
 5  - "https://www.itproportal.com/news/cybercriminals-launch-targeted-phishing-attacks-against-microsoft-365-users/"
 6  - "https://cofense.com/blog/office-365-phishing-variant/"
 7  - "https://www.helpnetsecurity.com/2020/05/04/fake-microsoft-teams-notification/"
 8type: "rule"
 9severity: "high"
10authors:
11  - twitter: "amitchell516"
12source: |
13  type.inbound
14  and (
15    length(body.links) < 30
16    or sender.email.local_part == "newsletter" and length(body.links) < 5
17  )
18  and (
19    (
20      strings.ilike(subject.subject, '*Microsoft 365*')
21      and strings.ilike(subject.subject, '*is expired*')
22    )
23    or (
24      // should catch any instance of the word "expired"
25      strings.ilike(body.current_thread.text, "*expir*")
26      and strings.ilike(body.current_thread.text, "*password*")
27      and strings.ilike(body.current_thread.text, "*microsoft*")
28    )
29    or regex.icontains(body.current_thread.text,
30                       ".*reach you.{0,20}Microsoft Teams"
31    )
32    or strings.ilike(sender.display_name, '*new activity in Teams*')
33    or subject.subject =~ 'Offline Message in Teams'
34    or strings.ilike(subject.subject, '*Teams Sent A Message')
35    or sender.display_name in~ (
36      'Microsoft Partner Network',
37      'Microsoft',
38      'Microsoft Feedback',
39      'Microsoft account team',
40      'Microsoft Support',
41      'Microsoft 365 Message center',
42      'Microsoft Azure'
43    )
44  )
45  and sender.email.domain.root_domain not in~ (
46    'microsoft.com',
47    'microsoftstoreemail.com',
48    'microsoftsupport.com',
49    'office.com',
50    'teams-events.com',
51    'qualtrics-research.com'
52  )
53  and (
54    profile.by_sender().prevalence in ("new", "outlier")
55    or (
56      profile.by_sender().any_messages_malicious_or_spam
57      and not profile.by_sender().any_false_positives
58    )
59  )
60
61  // negate legitimate Office 365 bouncebacks
62  and not (
63    all(attachments,
64        .content_type in ("message/delivery-status", "message/rfc822")
65    )
66    and (sender.email.local_part in ('postmaster', 'mailer-daemon'))
67    and strings.contains(subject.subject, 'Undeliverable:')
68  )
69  
70  // negate highly trusted sender domains unless they fail DMARC authentication
71  and (
72    (
73      sender.email.domain.root_domain in $high_trust_sender_root_domains
74      and not headers.auth_summary.dmarc.pass
75    )
76    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
77  )  
78
79attack_types:
80  - "Credential Phishing"
81tactics_and_techniques:
82  - "Impersonation: Brand"
83  - "Social engineering"
84detection_methods:
85  - "Content analysis"
86  - "Sender analysis"
87id: "6e2f04e6-b607-5e36-9015-d39c98265579"
to-top