Brand impersonation: Microsoft quarantine release notification

 1name: "Brand impersonation: Microsoft quarantine release notification"
 2description: |
 3    Message contains credential theft language and references to the Microsoft Exchange quarantine, but did not come from Microsoft.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and length(filter(attachments, .file_type not in $file_types_images)) == 0
 9  and any(attachments,
10          any(file.explode(.),
11              any(ml.nlu_classifier(.scan.ocr.raw).intents,
12                  .name == "cred_theft" and .confidence != "low"
13              )
14              and any(ml.nlu_classifier(.scan.ocr.raw).entities, .name == "urgency")
15          )
16          and any(file.explode(.),
17                  3 of (
18                    strings.icontains(.scan.ocr.raw, "review"),
19                    strings.icontains(.scan.ocr.raw, "release"),
20                    strings.icontains(.scan.ocr.raw, "quarantine"),
21                    strings.icontains(.scan.ocr.raw, "messages"),
22                    any(ml.logo_detect(..).brands, strings.starts_with(.name, "Microsoft"))
23                  )
24          )
25  )
26  and sender.email.domain.root_domain not in (
27    "bing.com",
28    "microsoft.com",
29    "microsoftonline.com",
30    "microsoftsupport.com",
31    "microsoft365.com",
32    "office.com",
33    "onedrive.com",
34    "sharepointonline.com",
35    "yammer.com",
36  )  
37attack_types:
38  - "Credential Phishing"
39tactics_and_techniques:
40  - "Free file host"
41  - "Impersonation: Brand"
42  - "Social engineering"
43detection_methods:
44  - "Computer Vision"
45  - "Content analysis"
46  - "File analysis"
47  - "Header analysis"
48  - "Natural Language Understanding"
49  - "Optical Character Recognition"
50  - "Sender analysis"
51id: "185db6b3-b35c-578d-bd9f-dab0703288fe"