Brand impersonation: Microsoft quarantine release notification

Message contains credential theft language and references to the Microsoft Exchange quarantine, but did not come from Microsoft.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Microsoft quarantine release notification"
 2description: |
 3    Message contains credential theft language and references to the Microsoft Exchange quarantine, but did not come from Microsoft.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and length(filter(attachments, .file_type not in $file_types_images)) == 0
 9  and any(attachments,
10          any(file.explode(.),
11              any(ml.nlu_classifier(.scan.ocr.raw).intents,
12                  .name == "cred_theft" and .confidence != "low"
13              )
14              and any(ml.nlu_classifier(.scan.ocr.raw).entities, .name == "urgency")
15          )
16          and any(file.explode(.),
17                  3 of (
18                    strings.icontains(.scan.ocr.raw, "review"),
19                    strings.icontains(.scan.ocr.raw, "release"),
20                    strings.icontains(.scan.ocr.raw, "quarantine"),
21                    strings.icontains(.scan.ocr.raw, "messages"),
22                    any(ml.logo_detect(..).brands, strings.starts_with(.name, "Microsoft"))
23                  )
24          )
25  )
26  and sender.email.domain.root_domain not in (
27    "bing.com",
28    "microsoft.com",
29    "microsoftonline.com",
30    "microsoftsupport.com",
31    "microsoft365.com",
32    "office.com",
33    "onedrive.com",
34    "sharepointonline.com",
35    "yammer.com",
36  )
37
38  // negate highly trusted sender domains unless they fail DMARC authentication
39  and
40  (
41    (
42      sender.email.domain.root_domain in $high_trust_sender_root_domains
43      and (
44        any(distinct(headers.hops, .authentication_results.dmarc is not null),
45            strings.ilike(.authentication_results.dmarc, "*fail")
46        )
47      )
48    )
49    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
50  )
51
52  and not profile.by_sender().solicited
53  and not profile.by_sender().any_false_positives  
54attack_types:
55  - "Credential Phishing"
56tactics_and_techniques:
57  - "Free file host"
58  - "Impersonation: Brand"
59  - "Social engineering"
60detection_methods:
61  - "Computer Vision"
62  - "Content analysis"
63  - "File analysis"
64  - "Header analysis"
65  - "Natural Language Understanding"
66  - "Optical Character Recognition"
67  - "Sender analysis"
68id: "185db6b3-b35c-578d-bd9f-dab0703288fe"
to-top