Brand impersonation: Microsoft with embedded logo and credential theft language

calendar Dec 19, 2024  ยท
Share on: linkedin copy

This rule detects messages impersonating Microsoft via a logo and contains credential theft language. From a new and unsolicited sender.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Microsoft with embedded logo and credential theft language"
 2description: "This rule detects messages impersonating Microsoft via a logo and contains credential theft language. From a new and unsolicited sender."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and (
 8    (
 9      length(attachments) > 0
10      and all(attachments,
11              .file_type in $file_types_images or .file_type == "pdf"
12      )
13    )
14    or length(attachments) == 0
15  )
16  and any(ml.logo_detect(beta.message_screenshot()).brands,
17          strings.starts_with(.name, "Microsoft")
18  )
19  and (
20    any(ml.nlu_classifier(body.current_thread.text).intents,
21        .name == "cred_theft" and .confidence in ("medium", "high")
22    )
23    or (
24      length(body.current_thread.text) == 0
25      and any(file.explode(beta.message_screenshot()),
26              any(ml.nlu_classifier(.scan.ocr.raw).intents,
27                  .name == "cred_theft" and .confidence in ("medium", "high")
28              )
29      )
30    )
31  )
32  and (
33    not (
34      headers.auth_summary.dmarc.pass
35      and headers.auth_summary.dmarc.details.from.domain in (
36        "azureadnotifications.us",
37        "microsoft.com",
38        "sharepointonline.com",
39        "cloudappsecurity.com",
40        "microsoftsupport.com",
41        "microsoft.onmicrosoft.com",
42        "yammer.com"
43      )
44    )
45    or headers.auth_summary.dmarc.pass is null
46    or headers.auth_summary.dmarc.details.from.domain is null
47  )
48  and (
49    not profile.by_sender().solicited
50    or (
51      profile.by_sender().any_messages_malicious_or_spam
52      and not profile.by_sender().any_false_positives
53    )
54  )
55  and not (
56    sender.email.domain.domain == "planner.office365.com"
57    and headers.return_path.email == "noreply@planner.office365.com"
58    and headers.auth_summary.dmarc.details.from.domain == "planner.office365.com"
59  )
60  
61  // message is not from sharepoint actual (additional check in case DMARC check above fails to bail out)
62  and not (
63    strings.ilike(headers.message_id, '<Share-*', '<MassDelete-*')
64    and strings.ends_with(headers.message_id, '@odspnotify>')
65  )
66
67  // negate highly trusted sender domains unless they fail DMARC authentication
68  and (
69    (
70      sender.email.domain.root_domain in $high_trust_sender_root_domains
71      and not headers.auth_summary.dmarc.pass
72    )
73    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
74  )
75  and not profile.by_sender().any_false_positives  
76
77attack_types:
78  - "Credential Phishing"
79tactics_and_techniques:
80  - "Impersonation: Brand"
81  - "Social engineering"
82detection_methods:
83  - "Computer Vision"
84  - "Natural Language Understanding"
85  - "Sender analysis"
86id: "3ee9ef3d-8ec4-5df0-a8a2-5c6d037eb17a"
to-top