Brand impersonation: Microsoft quarantine release notification in image attachment

calendar Jun 27, 2024  ยท
Share on: linkedin copy

Message with an image attachment containing credential theft language and references to the Microsoft Exchange quarantine, but did not come from Microsoft.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Microsoft quarantine release notification in image attachment"
 2description: |
 3    Message with an image attachment containing credential theft language and references to the Microsoft Exchange quarantine, but did not come from Microsoft.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and length(filter(attachments, .file_type not in $file_types_images)) == 0
 9  and any(attachments,
10          any(file.explode(.),
11              (
12                any(ml.nlu_classifier(.scan.ocr.raw).intents,
13                    .name == "cred_theft" and .confidence != "low"
14                )
15                or (
16                  length(ml.nlu_classifier(.scan.ocr.raw).intents) == 0
17                  and length(ml.nlu_classifier(.scan.ocr.raw).entities) > 2
18                )
19              )
20              and (
21                (
22                  any(ml.nlu_classifier(.scan.ocr.raw).entities,
23                      .name == "urgency"
24                  )
25                )
26                or any(ml.nlu_classifier(.scan.ocr.raw).entities,
27                       .name == "sender" and strings.icontains(.text, "Microsoft")
28                )
29              )
30          )
31          and any(file.explode(.),
32                  3 of (
33                    strings.icontains(.scan.ocr.raw, "review"),
34                    strings.icontains(.scan.ocr.raw, "release"),
35                    strings.icontains(.scan.ocr.raw, "quarantine"),
36                    strings.icontains(.scan.ocr.raw, "messages"),
37                    strings.icontains(.scan.ocr.raw, "blocked"),
38                    strings.icontains(.scan.ocr.raw, "notification"),
39                    any(ml.logo_detect(..).brands,
40                        strings.starts_with(.name, "Microsoft")
41                    )
42                  )
43          )
44  )
45  and sender.email.domain.root_domain not in (
46    "bing.com",
47    "microsoft.com",
48    "microsoftonline.com",
49    "microsoftsupport.com",
50    "microsoft365.com",
51    "office.com",
52    "onedrive.com",
53    "sharepointonline.com",
54    "yammer.com",
55  )
56  
57  // negate highly trusted sender domains unless they fail DMARC authentication
58  and (
59    (
60      sender.email.domain.root_domain in $high_trust_sender_root_domains
61      and not headers.auth_summary.dmarc.pass
62    )
63    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
64  )
65  and not profile.by_sender().solicited
66  and not profile.by_sender().any_false_positives  
67
68attack_types:
69  - "Credential Phishing"
70tactics_and_techniques:
71  - "Free file host"
72  - "Impersonation: Brand"
73  - "Social engineering"
74detection_methods:
75  - "Computer Vision"
76  - "Content analysis"
77  - "File analysis"
78  - "Header analysis"
79  - "Natural Language Understanding"
80  - "Optical Character Recognition"
81  - "Sender analysis"
82id: "185db6b3-b35c-578d-bd9f-dab0703288fe"
to-top