Brand impersonation: Microsoft fake sign-in alert

calendar Apr 25, 2024  ยท
Share on: linkedin copy

Detects messages impersonating Microsoft that mimic sign-in security alerts and attempt to solicit a response.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Microsoft fake sign-in alert"
 2description: |
 3    Detects messages impersonating Microsoft that mimic sign-in security alerts and attempt to solicit a response.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  // no links found in body
 9  and length(body.links) == 0
10  // Microsoft strings
11  and (
12    strings.contains(subject.subject, "Microsoft")
13    or strings.contains(sender.display_name, "Microsoft")
14    or strings.contains(body.current_thread.text, "Microsoft")
15    or (
16
17      // or Microsoft Brand logo
18      any(attachments,
19          .file_type in $file_types_images
20          and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
21      )
22    )
23  )
24
25  // Body contains Indicators of fake sign in notification
26  and (
27    regex.contains(body.current_thread.text,
28                   '(Country.region:.{0,20}IP address:|Platform:.{0,20}Browser:)'
29    )
30    or regex.contains(body.current_thread.text, "Unusual.{0,10}activity")
31  )
32  and (
33
34    // If the sender is freemail
35    sender.email.domain.domain in $free_email_providers
36    or (
37
38      // sender is not freemail, but the return path email or reply to email is  
39      sender.email.domain.domain not in $free_email_providers
40      and (
41        headers.return_path.domain.root_domain in $free_email_providers
42        or (
43          length(headers.reply_to) > 0
44          and (all(headers.reply_to, .email.domain.root_domain in $free_email_providers))
45        )
46        or (
47
48          // if all replyto domain, return_path domain, sender domain mismatch
49          length(headers.reply_to) > 0
50          and all(headers.reply_to,
51                  .email.domain.domain != headers.return_path.domain.domain
52                  and headers.return_path.domain.domain != sender.email.domain.domain
53          )
54        )
55
56        // or the domain is less than 90 days old
57        or network.whois(sender.email.domain).days_old <= 90
58        or (
59
60          // or Compauth verdict is not pass/softpass
61          any(headers.hops,
62              .authentication_results.compauth.verdict is not null
63              and .authentication_results.compauth.verdict not in ("pass", "softpass")
64          )
65        )
66      )
67    )
68  )
69  and sender.email.domain.root_domain not in (
70    "bing.com",
71    "microsoft.com",
72    "microsoftonline.com",
73    "microsoftsupport.com",
74    "microsoft365.com",
75    "office.com",
76    "onedrive.com",
77    "sharepointonline.com",
78    "yammer.com",
79  )  
80attack_types:
81  - "Credential Phishing"
82tactics_and_techniques:
83  - "Impersonation: Brand"
84  - "Social engineering"
85detection_methods:
86  - "Computer Vision"
87  - "Content analysis"
88  - "File analysis"
89  - "Header analysis"
90  - "Sender analysis"
91  - "Whois"
92id: "3f4c9e7a-4d85-5bee-bc8c-3a737924c236"
to-top