Brand impersonation: Microsoft with embedded logo and credential theft language

calendar Nov 13, 2024  ยท
Share on: linkedin copy

This rule detects messages impersonating Microsoft via a logo and contains credential theft language. From a new and unsolicited sender.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Microsoft with embedded logo and credential theft language"
 2description: "This rule detects messages impersonating Microsoft via a logo and contains credential theft language. From a new and unsolicited sender."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and (
 8    (
 9      length(attachments) > 0
10      and all(attachments,
11              .file_type in $file_types_images or .file_type == "pdf"
12      )
13    )
14    or length(attachments) == 0
15  )
16  and any(ml.logo_detect(beta.message_screenshot()).brands,
17          strings.starts_with(.name, "Microsoft")
18  )
19  and (
20    any(ml.nlu_classifier(body.current_thread.text).intents,
21        .name == "cred_theft" and .confidence in ("medium", "high")
22    )
23    or (
24      length(body.current_thread.text) == 0
25      and any(file.explode(beta.message_screenshot()),
26              any(ml.nlu_classifier(.scan.ocr.raw).intents,
27                  .name == "cred_theft" and .confidence in ("medium", "high")
28              )
29      )
30    )
31  )
32  and (
33    not (
34      headers.auth_summary.dmarc.pass
35      and headers.auth_summary.dmarc.details.from.domain in (
36        "azureadnotifications.us",
37        "microsoft.com",
38        "sharepointonline.com",
39        "cloudappsecurity.com",
40        "microsoftsupport.com",
41        "microsoft.onmicrosoft.com",
42        "yammer.com"
43      )
44    )
45    or headers.auth_summary.dmarc.pass is null
46    or headers.auth_summary.dmarc.details.from.domain is null
47  )
48  and (
49    not profile.by_sender().solicited
50    or (
51      profile.by_sender().any_messages_malicious_or_spam
52      and not profile.by_sender().any_false_positives
53    )
54  )
55  
56  // negate highly trusted sender domains unless they fail DMARC authentication
57  and (
58    (
59      sender.email.domain.root_domain in $high_trust_sender_root_domains
60      and not headers.auth_summary.dmarc.pass
61    )
62    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
63  )
64  and not profile.by_sender().any_false_positives  
65
66attack_types:
67  - "Credential Phishing"
68tactics_and_techniques:
69  - "Impersonation: Brand"
70  - "Social engineering"
71detection_methods:
72  - "Computer Vision"
73  - "Natural Language Understanding"
74  - "Sender analysis"
75id: "3ee9ef3d-8ec4-5df0-a8a2-5c6d037eb17a"
to-top