Brand impersonation: Microsoft with embedded logo and credential theft language
This rule detects messages impersonating Microsoft via a logo and contains credential theft language. From a new and unsolicited sender.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Microsoft with embedded logo and credential theft language"
2description: "This rule detects messages impersonating Microsoft via a logo and contains credential theft language. From a new and unsolicited sender."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and length(attachments) == 0
8 and any(ml.logo_detect(beta.message_screenshot()).brands,
9 strings.starts_with(.name, "Microsoft")
10 )
11 and any(ml.nlu_classifier(body.current_thread.text).intents,
12 .name == "cred_theft" and .confidence in ("medium", "high")
13 )
14 and (
15 not (
16 headers.auth_summary.dmarc.pass
17 and headers.auth_summary.dmarc.details.from.domain in (
18 "azureadnotifications.us",
19 "microsoft.com",
20 "sharepointonline.com",
21 "cloudappsecurity.com",
22 "microsoftsupport.com",
23 "microsoft.onmicrosoft.com",
24 "yammer.com"
25 )
26 )
27 or headers.auth_summary.dmarc.pass is null
28 or headers.auth_summary.dmarc.details.from.domain is null
29 )
30 and (
31 not profile.by_sender().solicited
32 or (
33 profile.by_sender().any_messages_malicious_or_spam
34 and not profile.by_sender().any_false_positives
35 )
36 )
37
38 // negate highly trusted sender domains unless they fail DMARC authentication
39 and (
40 (
41 sender.email.domain.root_domain in $high_trust_sender_root_domains
42 and not headers.auth_summary.dmarc.pass
43 )
44 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
45 )
46 and not profile.by_sender().any_false_positives
47
48attack_types:
49 - "Credential Phishing"
50tactics_and_techniques:
51 - "Impersonation: Brand"
52 - "Social engineering"
53detection_methods:
54 - "Computer Vision"
55 - "Natural Language Understanding"
56 - "Sender analysis"
57id: "3ee9ef3d-8ec4-5df0-a8a2-5c6d037eb17a"