Brand impersonation: Microsoft with embedded logo and credential theft language

calendar Jan 10, 2025  ยท
Share on: linkedin copy

This rule detects messages impersonating Microsoft via a logo and contains credential theft language. From a new and unsolicited sender.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Microsoft with embedded logo and credential theft language"
 2description: "This rule detects messages impersonating Microsoft via a logo and contains credential theft language. From a new and unsolicited sender."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and (
 8    (
 9      length(attachments) > 0
10      and all(attachments,
11              .file_type in $file_types_images or .file_type == "pdf"
12      )
13    )
14    or length(attachments) == 0
15  )
16  and any(ml.logo_detect(beta.message_screenshot()).brands,
17          strings.starts_with(.name, "Microsoft")
18  )
19  and (
20    any(ml.nlu_classifier(body.current_thread.text).intents,
21        .name == "cred_theft" and .confidence in ("medium", "high")
22    )
23    or (
24      length(body.current_thread.text) == 0
25      and any(file.explode(beta.message_screenshot()),
26              any(ml.nlu_classifier(.scan.ocr.raw).intents,
27                  .name == "cred_theft" and .confidence in ("medium", "high")
28              )
29      )
30    )
31  )
32  and (
33    not (
34      headers.auth_summary.dmarc.pass
35      and headers.auth_summary.dmarc.details.from.domain in (
36        "azureadnotifications.us",
37        "microsoft.com",
38        "sharepointonline.com",
39        "cloudappsecurity.com",
40        "microsoftsupport.com",
41        "microsoft.onmicrosoft.com",
42        "yammer.com"
43      )
44    )
45    or headers.auth_summary.dmarc.pass is null
46    or headers.auth_summary.dmarc.details.from.domain is null
47  )
48  and not (
49    sender.email.domain.domain == "planner.office365.com"
50    and headers.return_path.email == "noreply@planner.office365.com"
51    and headers.auth_summary.dmarc.details.from.domain == "planner.office365.com"
52  )
53  // Microsoft has some legit onmicrosoft domains...
54  and not (
55    sender.email.domain.domain == "microsoft.onmicrosoft.com"
56    and headers.auth_summary.spf.pass
57    and all(body.links, .href_url.domain.root_domain == "microsoft.com")
58  )
59  // message is not from sharepoint actual (additional check in case DMARC check above fails to bail out)
60  and not (
61    strings.ilike(headers.message_id, '<Share-*', '<MassDelete-*')
62    and strings.ends_with(headers.message_id, '@odspnotify>')
63  )
64  and (
65    not profile.by_sender().solicited
66    or (
67      profile.by_sender().any_messages_malicious_or_spam
68      and not profile.by_sender().any_false_positives
69    )
70  )
71  
72  // negate highly trusted sender domains unless they fail DMARC authentication
73  and (
74    (
75      sender.email.domain.root_domain in $high_trust_sender_root_domains
76      and not headers.auth_summary.dmarc.pass
77    )
78    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
79  )
80  and not profile.by_sender().any_false_positives  
81
82attack_types:
83  - "Credential Phishing"
84tactics_and_techniques:
85  - "Impersonation: Brand"
86  - "Social engineering"
87detection_methods:
88  - "Computer Vision"
89  - "Natural Language Understanding"
90  - "Sender analysis"
91id: "3ee9ef3d-8ec4-5df0-a8a2-5c6d037eb17a"
to-top