Brand impersonation: Microsoft with embedded logo and credential theft language

 1name: "Brand impersonation: Microsoft with embedded logo and credential theft language"
 2description: "This rule detects messages impersonating Microsoft via a logo and contains credential theft language. From a new and unsolicited sender."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(attachments) == 0
 8  and any(ml.logo_detect(beta.message_screenshot()).brands, 
 9      strings.starts_with(.name, "Microsoft")
10  )
11  and any(ml.nlu_classifier(body.current_thread.text).intents, 
12      .name == "cred_theft" and .confidence in ("medium", "high")
13  )
14  and (
15    not any(headers.hops,
16            .authentication_results.compauth.verdict is not null
17            and .authentication_results.compauth.verdict == "pass"
18            and sender.email.domain.domain in (
19              "microsoft.com",
20              "sharepointonline.com",
21              "cloudappsecurity.com"
22            )
23    )
24  )
25  and (
26    (
27      not profile.by_sender().solicited
28    )
29    or (
30      profile.by_sender().any_messages_malicious_or_spam
31      and not profile.by_sender().any_false_positives
32    )
33  )
34  
35  // negate highly trusted sender domains unless they fail DMARC authentication
36  and (
37    (
38      sender.email.domain.root_domain in $high_trust_sender_root_domains
39      and not headers.auth_summary.dmarc.pass
40    )
41    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
42  )
43  
44  and not profile.by_sender().any_false_positives  
45attack_types:
46  - "Credential Phishing"
47tactics_and_techniques:
48  - "Impersonation: Brand"
49  - "Social engineering"
50detection_methods:
51  - "Computer Vision"
52  - "Natural Language Understanding"
53  - "Sender analysis"
54id: "3ee9ef3d-8ec4-5df0-a8a2-5c6d037eb17a"