Brand impersonation: Microsoft

calendar Sep 13, 2023  ยท
Share on: linkedin copy

Impersonation of the Microsoft brand.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Microsoft"
 2description: |
 3    Impersonation of the Microsoft brand.
 4references:
 5  - "https://www.itproportal.com/news/cybercriminals-launch-targeted-phishing-attacks-against-microsoft-365-users/"
 6  - "https://cofense.com/blog/office-365-phishing-variant/"
 7  - "https://www.helpnetsecurity.com/2020/05/04/fake-microsoft-teams-notification/"
 8type: "rule"
 9severity: "high"
10authors:
11  - twitter: "amitchell516"
12source: |
13  type.inbound
14  and (
15    (
16      strings.ilike(subject.subject, '*Microsoft 365*')
17      and strings.ilike(subject.subject, '*is expired*')
18    )
19    or (
20      // should catch any instance of the word "expired"
21      strings.ilike(body.html.display_text, "*expir*")
22      and strings.ilike(body.html.display_text, "*password*")
23      and strings.ilike(body.html.display_text, "*microsoft*")
24    )
25    or regex.icontains(body.html.display_text, ".*reach you.*microsoft teams")
26    or strings.ilike(sender.display_name, '*new activity in Teams*')
27    or subject.subject =~ 'Offline Message in Teams'
28    or strings.ilike(subject.subject, '*Teams Sent A Message')
29    or sender.display_name in~ (
30      'Microsoft Partner Network',
31      'Microsoft',
32      'Microsoft Feedback',
33      'Microsoft account team',
34      'Microsoft Support',
35      'Microsoft 365 Message center',
36      'Microsoft Azure'
37    )
38  )
39  and sender.email.domain.root_domain not in~ (
40    'microsoft.com',
41    'microsoftsupport.com',
42    'office.com',
43    'teams-events.com'
44  )
45  
46  // first-time sender
47  and (
48    (
49      sender.email.domain.root_domain in $free_email_providers
50      and sender.email.email not in $sender_emails
51    )
52    or (
53      sender.email.domain.root_domain not in $free_email_providers
54      and sender.email.domain.domain not in $sender_domains
55    )
56  )  
57
58attack_types:
59  - "Credential Phishing"
60tactics_and_techniques:
61  - "Impersonation: Brand"
62  - "Social engineering"
63detection_methods:
64  - "Content analysis"
65  - "Sender analysis"
66id: "6e2f04e6-b607-5e36-9015-d39c98265579"
to-top