Brand impersonation: Microsoft quarantine release notification in image attachment

Message with an image attachment containing credential theft language and references to the Microsoft Exchange quarantine, but did not come from Microsoft.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Microsoft quarantine release notification in image attachment"
 2description: |
 3    Message with an image attachment containing credential theft language and references to the Microsoft Exchange quarantine, but did not come from Microsoft.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and length(filter(attachments, .file_type not in $file_types_images)) == 0
 9  and any(attachments,
10          any(file.explode(.),
11              (
12                any(ml.nlu_classifier(.scan.ocr.raw).intents,
13                    .name == "cred_theft" and .confidence != "low"
14                )
15                or length(ml.nlu_classifier(.scan.ocr.raw).intents) == 0
16              )
17              and (
18                any(ml.nlu_classifier(.scan.ocr.raw).entities, .name == "urgency")
19                or any(ml.nlu_classifier(.scan.ocr.raw).entities,
20                       .name == "sender" and strings.icontains(.text, "Microsoft")
21                )
22              )
23          )
24          and any(file.explode(.),
25                  3 of (
26                    strings.icontains(.scan.ocr.raw, "review"),
27                    strings.icontains(.scan.ocr.raw, "release"),
28                    strings.icontains(.scan.ocr.raw, "quarantine"),
29                    strings.icontains(.scan.ocr.raw, "messages"),
30                    strings.icontains(.scan.ocr.raw, "blocked"),
31                    strings.icontains(.scan.ocr.raw, "notification"),
32                    any(ml.logo_detect(..).brands,
33                        strings.starts_with(.name, "Microsoft")
34                    )
35                  )
36          )
37  )
38  and sender.email.domain.root_domain not in (
39    "bing.com",
40    "microsoft.com",
41    "microsoftonline.com",
42    "microsoftsupport.com",
43    "microsoft365.com",
44    "office.com",
45    "onedrive.com",
46    "sharepointonline.com",
47    "yammer.com",
48  )
49  
50  // negate highly trusted sender domains unless they fail DMARC authentication
51  and (
52    (
53      sender.email.domain.root_domain in $high_trust_sender_root_domains
54      and not headers.auth_summary.dmarc.pass
55    )
56    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
57  )
58  and not profile.by_sender().solicited
59  and not profile.by_sender().any_false_positives  
60
61attack_types:
62  - "Credential Phishing"
63tactics_and_techniques:
64  - "Free file host"
65  - "Impersonation: Brand"
66  - "Social engineering"
67detection_methods:
68  - "Computer Vision"
69  - "Content analysis"
70  - "File analysis"
71  - "Header analysis"
72  - "Natural Language Understanding"
73  - "Optical Character Recognition"
74  - "Sender analysis"
75id: "185db6b3-b35c-578d-bd9f-dab0703288fe"
to-top