Brand impersonation: Microsoft quarantine release notification

calendar Apr 24, 2024  ยท
Share on: linkedin copy

Message contains credential theft language and references to the Microsoft Exchange quarantine, but did not come from Microsoft.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Microsoft quarantine release notification"
 2description: |
 3    Message contains credential theft language and references to the Microsoft Exchange quarantine, but did not come from Microsoft.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and length(filter(attachments, .file_type not in $file_types_images)) == 0
 9  and any(attachments,
10          any(file.explode(.),
11              (
12                any(ml.nlu_classifier(.scan.ocr.raw).intents,
13                    .name == "cred_theft" and .confidence != "low"
14                )
15                or length(ml.nlu_classifier(.scan.ocr.raw).intents) == 0
16              )
17              and (
18                any(ml.nlu_classifier(.scan.ocr.raw).entities, .name == "urgency")
19                or any(ml.nlu_classifier(.scan.ocr.raw).entities,
20                       .name == "sender" and strings.icontains(.text, "Microsoft")
21                )
22              )
23          )
24          and any(file.explode(.),
25                  3 of (
26                    strings.icontains(.scan.ocr.raw, "review"),
27                    strings.icontains(.scan.ocr.raw, "release"),
28                    strings.icontains(.scan.ocr.raw, "quarantine"),
29                    strings.icontains(.scan.ocr.raw, "messages"),
30                    strings.icontains(.scan.ocr.raw, "blocked"),
31                    strings.icontains(.scan.ocr.raw, "notification"),
32                    any(ml.logo_detect(..).brands,
33                        strings.starts_with(.name, "Microsoft")
34                    )
35                  )
36          )
37  )
38  and sender.email.domain.root_domain not in (
39    "bing.com",
40    "microsoft.com",
41    "microsoftonline.com",
42    "microsoftsupport.com",
43    "microsoft365.com",
44    "office.com",
45    "onedrive.com",
46    "sharepointonline.com",
47    "yammer.com",
48  )
49  
50  // negate highly trusted sender domains unless they fail DMARC authentication
51  and (
52    (
53      sender.email.domain.root_domain in $high_trust_sender_root_domains
54      and not headers.auth_summary.dmarc.pass
55    )
56    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
57  )
58  and not profile.by_sender().solicited
59  and not profile.by_sender().any_false_positives  
60
61attack_types:
62  - "Credential Phishing"
63tactics_and_techniques:
64  - "Free file host"
65  - "Impersonation: Brand"
66  - "Social engineering"
67detection_methods:
68  - "Computer Vision"
69  - "Content analysis"
70  - "File analysis"
71  - "Header analysis"
72  - "Natural Language Understanding"
73  - "Optical Character Recognition"
74  - "Sender analysis"
75id: "185db6b3-b35c-578d-bd9f-dab0703288fe"
to-top