Brand impersonation: Microsoft with embedded logo and credential theft language

calendar May 7, 2025  ยท
Share on: linkedin copy

This rule detects messages impersonating Microsoft via a logo and contains credential theft language. From a new and unsolicited sender.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Microsoft with embedded logo and credential theft language"
  2description: "This rule detects messages impersonating Microsoft via a logo and contains credential theft language. From a new and unsolicited sender."
  3type: "rule"
  4severity: "high"
  5source: |
  6  type.inbound
  7  and (
  8    (
  9      length(attachments) > 0
 10      and all(attachments,
 11              .file_type in $file_types_images or .file_type == "pdf"
 12      )
 13    )
 14    or length(attachments) == 0
 15  )
 16  and any(ml.logo_detect(beta.message_screenshot()).brands,
 17          strings.starts_with(.name, "Microsoft")
 18  )
 19  and (
 20    any(ml.nlu_classifier(body.current_thread.text).intents,
 21        .name == "cred_theft" and .confidence in ("medium", "high")
 22    )
 23    or (
 24      length(body.current_thread.text) == 0
 25      and any(file.explode(beta.message_screenshot()),
 26              any(ml.nlu_classifier(.scan.ocr.raw).intents,
 27                  .name == "cred_theft" and .confidence in ("medium", "high")
 28              )
 29      )
 30    )
 31  )
 32  and (
 33    not (
 34      headers.auth_summary.dmarc.pass
 35      and headers.auth_summary.dmarc.details.from.domain in (
 36        "azureadnotifications.us",
 37        "microsoft.com",
 38        "sharepointonline.com",
 39        "cloudappsecurity.com",
 40        "microsoftsupport.com",
 41        "microsoft.onmicrosoft.com",
 42        "yammer.com"
 43      )
 44    )
 45    or headers.auth_summary.dmarc.pass is null
 46    or headers.auth_summary.dmarc.details.from.domain is null
 47  )
 48  and not (
 49    sender.email.domain.domain == "planner.office365.com"
 50    and headers.return_path.email == "noreply@planner.office365.com"
 51    and headers.auth_summary.dmarc.details.from.root_domain == "office365.com"
 52  )
 53  // Microsoft has some legit onmicrosoft domains...
 54  and not (
 55    sender.email.domain.domain == "microsoft.onmicrosoft.com"
 56    and headers.auth_summary.spf.pass
 57    and all(body.links, .href_url.domain.root_domain == "microsoft.com")
 58  )
 59  // message is not from sharepoint actual (additional check in case DMARC check above fails to bail out)
 60  and not (
 61    (
 62      strings.ilike(headers.message_id,
 63                    '<Share-*',
 64                    '<MassDelete-*',
 65                    '<FileDeleteAfterExpiration-*',
 66                    '<NotifyOwnerSharedWithExternalUsers*',
 67                    '<OneTimePasscode*'
 68      )
 69      and strings.ends_with(headers.message_id, '@odspnotify>')
 70    )
 71    or (
 72      any(headers.hops,
 73          any(.fields,
 74              .name == "X-Google-Original-Message-ID"
 75              and strings.ilike(.value,
 76                                '<Share-*',
 77                                '<MassDelete-*',
 78                                '<FileDeleteAfterExpiration-*',
 79                                '<NotifyOwnerSharedWithExternalUsers*',
 80                                '<OneTimePasscode*'
 81              )
 82              and strings.ends_with(.value, '@odspnotify>')
 83          )
 84      )
 85    )
 86  )
 87  and (
 88    not profile.by_sender().solicited
 89    or (
 90      profile.by_sender().any_messages_malicious_or_spam
 91      and not profile.by_sender().any_false_positives
 92    )
 93  )
 94  
 95  // negate org domains unless they fail DMARC authentication
 96  and (
 97    (
 98      sender.email.domain.root_domain in $org_domains
 99      and (
100        not headers.auth_summary.dmarc.pass
101        // MS quarantine digest emails from an org domain are router "internally" to MS, therefore, there is no authentication information
102        or not (
103          headers.auth_summary.dmarc.pass is null
104          and all(headers.domains,
105                  .root_domain in ("outlook.com", "office365.com")
106          )
107          // typical emails from freemail Outlook accounts are from prod.outlook.com
108          and strings.ends_with(headers.message_id, "protection.outlook.com>")
109        )
110      )
111    )
112    or sender.email.domain.root_domain not in $org_domains
113  )
114  
115  // negate highly trusted sender domains unless they fail DMARC authentication
116  and (
117    (
118      sender.email.domain.root_domain in $high_trust_sender_root_domains
119      and not headers.auth_summary.dmarc.pass
120    )
121    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
122  )
123  and not profile.by_sender().any_false_positives  
124
125attack_types:
126  - "Credential Phishing"
127tactics_and_techniques:
128  - "Impersonation: Brand"
129  - "Social engineering"
130detection_methods:
131  - "Computer Vision"
132  - "Natural Language Understanding"
133  - "Sender analysis"
134id: "3ee9ef3d-8ec4-5df0-a8a2-5c6d037eb17a"
to-top