Brand impersonation: Microsoft with embedded logo and credential theft language

calendar Oct 17, 2025  ยท
Share on: linkedin copy

This rule detects messages impersonating Microsoft via a logo and contains credential theft language. From a new and unsolicited sender.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Microsoft with embedded logo and credential theft language"
  2description: "This rule detects messages impersonating Microsoft via a logo and contains credential theft language. From a new and unsolicited sender."
  3type: "rule"
  4severity: "high"
  5source: |
  6  type.inbound
  7  and (
  8    (
  9      length(attachments) > 0
 10      and all(attachments,
 11              .file_type in $file_types_images or .file_type == "pdf"
 12      )
 13    )
 14    or length(attachments) == 0
 15  )
 16  and any(ml.logo_detect(file.message_screenshot()).brands,
 17          strings.starts_with(.name, "Microsoft")
 18  )
 19  and (
 20    any(ml.nlu_classifier(body.current_thread.text).intents,
 21        .name == "cred_theft" and .confidence in ("medium", "high")
 22    )
 23    or (
 24      length(body.current_thread.text) == 0
 25      //
 26      // This rule makes use of a beta feature and is subject to change without notice
 27      // using the beta feature in custom rules is not suggested until it has been formally released
 28      //
 29      and any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
 30              .name == "cred_theft" and .confidence in ("medium", "high")
 31      )
 32    )
 33  )
 34  and (
 35    not (
 36      headers.auth_summary.dmarc.pass
 37      and headers.auth_summary.dmarc.details.from.domain in (
 38        "azureadnotifications.us",
 39        "microsoft.com",
 40        "sharepointonline.com",
 41        "cloudappsecurity.com",
 42        "microsoftsupport.com",
 43        "microsoft.onmicrosoft.com",
 44        "yammer.com"
 45      )
 46    )
 47    or headers.auth_summary.dmarc.pass is null
 48    or headers.auth_summary.dmarc.details.from.domain is null
 49  )
 50  and not (
 51    sender.email.domain.domain == "planner.office365.com"
 52    and headers.return_path.email == "noreply@planner.office365.com"
 53    and headers.auth_summary.dmarc.details.from.root_domain == "office365.com"
 54  )
 55  // Microsoft has some legit onmicrosoft domains...
 56  and not (
 57    sender.email.domain.domain == "microsoft.onmicrosoft.com"
 58    and headers.auth_summary.spf.pass
 59    and all(body.links, .href_url.domain.root_domain == "microsoft.com")
 60  )
 61  // message is not from sharepoint actual (additional check in case DMARC check above fails to bail out)
 62  and not (
 63    (
 64      strings.ilike(headers.message_id,
 65                    '<Share-*',
 66                    '<MassDelete-*',
 67                    '<FileDeleteAfterExpiration-*',
 68                    '<NotifyOwnerSharedWithExternalUsers*',
 69                    '<OneTimePasscode*'
 70      )
 71      and strings.ends_with(headers.message_id, '@odspnotify>')
 72    )
 73    or (
 74      any(headers.hops,
 75          any(.fields,
 76              .name == "X-Google-Original-Message-ID"
 77              and strings.ilike(.value,
 78                                '<Share-*',
 79                                '<MassDelete-*',
 80                                '<FileDeleteAfterExpiration-*',
 81                                '<NotifyOwnerSharedWithExternalUsers*',
 82                                '<OneTimePasscode*'
 83              )
 84              and strings.ends_with(.value, '@odspnotify>')
 85          )
 86      )
 87    )
 88  )
 89  and (
 90    not profile.by_sender().solicited
 91    or (
 92      profile.by_sender().any_messages_malicious_or_spam
 93      and not profile.by_sender().any_messages_benign
 94    )
 95  )
 96  
 97  // negate org domains unless they fail DMARC authentication
 98  and (
 99    (
100      sender.email.domain.root_domain in $org_domains
101      and (
102        not headers.auth_summary.dmarc.pass
103        // MS quarantine digest emails from an org domain are router "internally" to MS, therefore, there is no authentication information
104        or not (
105          headers.auth_summary.dmarc.pass is null
106          and all(headers.domains,
107                  .root_domain in ("outlook.com", "office365.com")
108          )
109          // typical emails from freemail Outlook accounts are from prod.outlook.com
110          and strings.ends_with(headers.message_id, "protection.outlook.com>")
111        )
112      )
113    )
114    or sender.email.domain.root_domain not in $org_domains
115  )
116  
117  // negate highly trusted sender domains unless they fail DMARC authentication
118  and (
119    (
120      sender.email.domain.root_domain in $high_trust_sender_root_domains
121      and not headers.auth_summary.dmarc.pass
122    )
123    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
124  )
125  and not profile.by_sender().any_messages_benign  
126
127attack_types:
128  - "Credential Phishing"
129tactics_and_techniques:
130  - "Impersonation: Brand"
131  - "Social engineering"
132detection_methods:
133  - "Computer Vision"
134  - "Natural Language Understanding"
135  - "Sender analysis"
136id: "3ee9ef3d-8ec4-5df0-a8a2-5c6d037eb17a"
to-top