Brand impersonation: Microsoft with embedded logo and credential theft language

This rule detects messages impersonating Microsoft via a logo and contains credential theft language. From a new and unsolicited sender.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Microsoft with embedded logo and credential theft language"
 2description: "This rule detects messages impersonating Microsoft via a logo and contains credential theft language. From a new and unsolicited sender."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(attachments) == 0
 8  and any(ml.logo_detect(beta.message_screenshot()).brands,
 9          strings.starts_with(.name, "Microsoft")
10  )
11  and any(ml.nlu_classifier(body.current_thread.text).intents,
12          .name == "cred_theft" and .confidence in ("medium", "high")
13  )
14  and (
15    not (
16      headers.auth_summary.dmarc.pass
17      and headers.auth_summary.dmarc.details.from.domain in (
18        "microsoft.com",
19        "sharepointonline.com",
20        "cloudappsecurity.com",
21        "microsoftsupport.com",
22        "microsoft.onmicrosoft.com"
23      )
24    )
25    or headers.auth_summary.dmarc.pass is null
26    or headers.auth_summary.dmarc.details.from.domain is null
27  )
28  and (
29    not profile.by_sender().solicited
30    or (
31      profile.by_sender().any_messages_malicious_or_spam
32      and not profile.by_sender().any_false_positives
33    )
34  )
35  
36  // negate highly trusted sender domains unless they fail DMARC authentication
37  and (
38    (
39      sender.email.domain.root_domain in $high_trust_sender_root_domains
40      and not headers.auth_summary.dmarc.pass
41    )
42    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
43  )
44  and not profile.by_sender().any_false_positives  
45
46attack_types:
47  - "Credential Phishing"
48tactics_and_techniques:
49  - "Impersonation: Brand"
50  - "Social engineering"
51detection_methods:
52  - "Computer Vision"
53  - "Natural Language Understanding"
54  - "Sender analysis"
55id: "3ee9ef3d-8ec4-5df0-a8a2-5c6d037eb17a"
to-top