Brand impersonation: Microsoft quarantine release notification
Message contains credential theft language and references to the Microsoft Exchange quarantine, but did not come from Microsoft.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Microsoft quarantine release notification"
2description: |
3 Message contains credential theft language and references to the Microsoft Exchange quarantine, but did not come from Microsoft.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and length(filter(attachments, .file_type not in $file_types_images)) == 0
9 and any(attachments,
10 any(file.explode(.),
11 (
12 any(ml.nlu_classifier(.scan.ocr.raw).intents,
13 .name == "cred_theft" and .confidence != "low"
14 )
15 or length(ml.nlu_classifier(.scan.ocr.raw).intents) == 0
16 )
17 and (
18 any(ml.nlu_classifier(.scan.ocr.raw).entities, .name == "urgency")
19 or any(ml.nlu_classifier(.scan.ocr.raw).entities,
20 .name == "sender" and strings.icontains(.text, "Microsoft")
21 )
22 )
23 )
24 and any(file.explode(.),
25 3 of (
26 strings.icontains(.scan.ocr.raw, "review"),
27 strings.icontains(.scan.ocr.raw, "release"),
28 strings.icontains(.scan.ocr.raw, "quarantine"),
29 strings.icontains(.scan.ocr.raw, "messages"),
30 strings.icontains(.scan.ocr.raw, "blocked"),
31 strings.icontains(.scan.ocr.raw, "notification"),
32 any(ml.logo_detect(..).brands,
33 strings.starts_with(.name, "Microsoft")
34 )
35 )
36 )
37 )
38 and sender.email.domain.root_domain not in (
39 "bing.com",
40 "microsoft.com",
41 "microsoftonline.com",
42 "microsoftsupport.com",
43 "microsoft365.com",
44 "office.com",
45 "onedrive.com",
46 "sharepointonline.com",
47 "yammer.com",
48 )
49
50 // negate highly trusted sender domains unless they fail DMARC authentication
51 and (
52 (
53 sender.email.domain.root_domain in $high_trust_sender_root_domains
54 and not headers.auth_summary.dmarc.pass
55 )
56 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
57 )
58 and not profile.by_sender().solicited
59 and not profile.by_sender().any_false_positives
60
61attack_types:
62 - "Credential Phishing"
63tactics_and_techniques:
64 - "Free file host"
65 - "Impersonation: Brand"
66 - "Social engineering"
67detection_methods:
68 - "Computer Vision"
69 - "Content analysis"
70 - "File analysis"
71 - "Header analysis"
72 - "Natural Language Understanding"
73 - "Optical Character Recognition"
74 - "Sender analysis"
75id: "185db6b3-b35c-578d-bd9f-dab0703288fe"