Brand impersonation: Microsoft fake sign-in alert

calendar Jan 12, 2026  ยท
Share on: linkedin copy

Detects messages impersonating Microsoft that mimic sign-in security alerts and attempt to solicit a response.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Microsoft fake sign-in alert"
  2description: |
  3    Detects messages impersonating Microsoft that mimic sign-in security alerts and attempt to solicit a response.
  4type: "rule"
  5severity: "medium"
  6source: |
  7  type.inbound
  8  // no links found in body
  9  and length(body.links) == 0
 10  // Microsoft strings
 11  and (
 12    strings.contains(subject.subject, "Microsoft")
 13    or strings.contains(sender.display_name, "Microsoft")
 14    or strings.contains(body.current_thread.text, "Microsoft")
 15    or (
 16  
 17      // or Microsoft Brand logo
 18      any(attachments,
 19          .file_type in $file_types_images
 20          and any(ml.logo_detect(.).brands,
 21                  strings.starts_with(.name, "Microsoft")
 22          )
 23      )
 24    )
 25  )
 26  
 27  // Body contains Indicators of fake sign in notification
 28  and (
 29    regex.contains(body.current_thread.text,
 30                   '(Country.region:.{0,20}IP address:|Platform:.{0,20}Browser:)'
 31    )
 32    or regex.contains(body.current_thread.text, "Unusual.{0,10}activity")
 33  )
 34  and (
 35  
 36    // If the sender is freemail
 37    sender.email.domain.domain in $free_email_providers
 38    or (
 39  
 40      // sender is not freemail, but the return path email or reply to email is  
 41      sender.email.domain.domain not in $free_email_providers
 42      and (
 43        headers.return_path.domain.root_domain in $free_email_providers
 44        or (
 45          length(headers.reply_to) > 0
 46          and (
 47            all(headers.reply_to,
 48                .email.domain.root_domain in $free_email_providers
 49            )
 50          )
 51        )
 52        or (
 53  
 54          // if all replyto domain, return_path domain, sender domain mismatch
 55          length(headers.reply_to) > 0
 56          and all(headers.reply_to,
 57                  .email.domain.domain != headers.return_path.domain.domain
 58                  and headers.return_path.domain.domain != sender.email.domain.domain
 59          )
 60        )
 61  
 62        // or the domain is less than 90 days old
 63        or network.whois(sender.email.domain).days_old <= 90
 64        or (
 65  
 66          // or Compauth verdict is not pass/softpass
 67          any(headers.hops,
 68              .authentication_results.compauth.verdict is not null
 69              and .authentication_results.compauth.verdict not in (
 70                "pass",
 71                "softpass"
 72              )
 73          )
 74        )
 75      )
 76    )
 77  )
 78  and sender.email.domain.root_domain not in (
 79    "bing.com",
 80    "microsoft.com",
 81    "microsoftonline.com",
 82    "microsoftsupport.com",
 83    "microsoft365.com",
 84    "office.com",
 85    "onedrive.com",
 86    "sharepointonline.com",
 87    "yammer.com",
 88  )  
 89attack_types:
 90  - "Credential Phishing"
 91tactics_and_techniques:
 92  - "Impersonation: Brand"
 93  - "Social engineering"
 94detection_methods:
 95  - "Computer Vision"
 96  - "Content analysis"
 97  - "File analysis"
 98  - "Header analysis"
 99  - "Sender analysis"
100  - "Whois"
101id: "3f4c9e7a-4d85-5bee-bc8c-3a737924c236"
to-top