Brand impersonation: Microsoft

calendar Apr 1, 2024  ยท
Share on: linkedin copy

Impersonation of the Microsoft brand.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Microsoft"
 2description: |
 3    Impersonation of the Microsoft brand.
 4references:
 5  - "https://www.itproportal.com/news/cybercriminals-launch-targeted-phishing-attacks-against-microsoft-365-users/"
 6  - "https://cofense.com/blog/office-365-phishing-variant/"
 7  - "https://www.helpnetsecurity.com/2020/05/04/fake-microsoft-teams-notification/"
 8type: "rule"
 9severity: "high"
10authors:
11  - twitter: "amitchell516"
12source: |
13  type.inbound
14  and length(body.links) < 30
15  and (
16    (
17      strings.ilike(subject.subject, '*Microsoft 365*')
18      and strings.ilike(subject.subject, '*is expired*')
19    )
20    or (
21      // should catch any instance of the word "expired"
22      strings.ilike(body.current_thread.text, "*expir*")
23      and strings.ilike(body.current_thread.text, "*password*")
24      and strings.ilike(body.current_thread.text, "*microsoft*")
25    )
26    or regex.icontains(body.current_thread.text, ".*reach you.{0,20}Microsoft Teams")
27    or strings.ilike(sender.display_name, '*new activity in Teams*')
28    or subject.subject =~ 'Offline Message in Teams'
29    or strings.ilike(subject.subject, '*Teams Sent A Message')
30    or sender.display_name in~ (
31      'Microsoft Partner Network',
32      'Microsoft',
33      'Microsoft Feedback',
34      'Microsoft account team',
35      'Microsoft Support',
36      'Microsoft 365 Message center',
37      'Microsoft Azure'
38    )
39  )
40  and sender.email.domain.root_domain not in~ (
41    'microsoft.com',
42    'microsoftstoreemail.com',
43    'microsoftsupport.com',
44    'office.com',
45    'teams-events.com',
46    'qualtrics-research.com'
47  )
48  and not sender.email.local_part == "newsletter"
49  and (
50    profile.by_sender().prevalence in ("new", "outlier")
51    or (
52      profile.by_sender().any_messages_malicious_or_spam
53      and not profile.by_sender().any_false_positives
54    )
55  )
56  
57  // negate highly trusted sender domains unless they fail DMARC authentication
58  and
59  (
60    (
61      sender.email.domain.root_domain in $high_trust_sender_root_domains
62      and (
63        any(distinct(headers.hops, .authentication_results.dmarc is not null),
64            strings.ilike(.authentication_results.dmarc, "*fail")
65        )
66      )
67    )
68    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
69  )  
70
71
72attack_types:
73  - "Credential Phishing"
74tactics_and_techniques:
75  - "Impersonation: Brand"
76  - "Social engineering"
77detection_methods:
78  - "Content analysis"
79  - "Sender analysis"
80id: "6e2f04e6-b607-5e36-9015-d39c98265579"
to-top