Brand impersonation: Microsoft quarantine release notification in image attachment
Message with an image attachment containing credential theft language and references to the Microsoft Exchange quarantine, but did not come from Microsoft.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Microsoft quarantine release notification in image attachment"
2description: |
3 Message with an image attachment containing credential theft language and references to the Microsoft Exchange quarantine, but did not come from Microsoft.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and length(filter(attachments, .file_type not in $file_types_images)) == 0
9 and any(attachments,
10 any(file.explode(.),
11 (
12 any(ml.nlu_classifier(.scan.ocr.raw).intents,
13 .name == "cred_theft" and .confidence != "low"
14 )
15 or (
16 length(ml.nlu_classifier(.scan.ocr.raw).intents) == 0
17 and length(ml.nlu_classifier(.scan.ocr.raw).entities) > 2
18 )
19 )
20 and (
21 (
22 any(ml.nlu_classifier(.scan.ocr.raw).entities,
23 .name == "urgency"
24 )
25 )
26 or any(ml.nlu_classifier(.scan.ocr.raw).entities,
27 .name == "sender" and strings.icontains(.text, "Microsoft")
28 )
29 )
30 )
31 and any(file.explode(.),
32 3 of (
33 strings.icontains(.scan.ocr.raw, "review"),
34 strings.icontains(.scan.ocr.raw, "release"),
35 strings.icontains(.scan.ocr.raw, "quarantine"),
36 strings.icontains(.scan.ocr.raw, "messages"),
37 strings.icontains(.scan.ocr.raw, "blocked"),
38 strings.icontains(.scan.ocr.raw, "notification"),
39 any(ml.logo_detect(..).brands,
40 strings.starts_with(.name, "Microsoft")
41 )
42 )
43 )
44 )
45 and sender.email.domain.root_domain not in (
46 "bing.com",
47 "microsoft.com",
48 "microsoftonline.com",
49 "microsoftsupport.com",
50 "microsoft365.com",
51 "office.com",
52 "onedrive.com",
53 "sharepointonline.com",
54 "yammer.com",
55 )
56
57 // negate highly trusted sender domains unless they fail DMARC authentication
58 and (
59 (
60 sender.email.domain.root_domain in $high_trust_sender_root_domains
61 and not headers.auth_summary.dmarc.pass
62 )
63 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
64 )
65 and not profile.by_sender().solicited
66 and not profile.by_sender().any_false_positives
67
68attack_types:
69 - "Credential Phishing"
70tactics_and_techniques:
71 - "Free file host"
72 - "Impersonation: Brand"
73 - "Social engineering"
74detection_methods:
75 - "Computer Vision"
76 - "Content analysis"
77 - "File analysis"
78 - "Header analysis"
79 - "Natural Language Understanding"
80 - "Optical Character Recognition"
81 - "Sender analysis"
82id: "185db6b3-b35c-578d-bd9f-dab0703288fe"