Brand impersonation: Microsoft quarantine release notification in body

calendar Jun 27, 2024  ยท
Share on: linkedin copy

Message containing suspicious quarantine release language in the body, and a Microsoft logo attachment but did not come from Microsoft.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Microsoft quarantine release notification in body"
 2description: "Message containing suspicious quarantine release language in the body, and a Microsoft logo attachment but did not come from Microsoft."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(filter(attachments, .file_type not in $file_types_images)) == 0
 8  and any(attachments,
 9          any(file.explode(.),
10              (
11                // attachment is most likely only a logo 
12                (
13                  length(.scan.ocr.raw) < 15 or .scan.ocr.raw is null
14                )
15                and any(ml.logo_detect(..).brands,
16                        strings.starts_with(.name, "Microsoft")
17                )
18              )
19          )
20          and (
21            3 of (
22              strings.ilike(body.current_thread.text, "*review*"),
23              strings.ilike(body.current_thread.text, "*release*"),
24              strings.ilike(body.current_thread.text, "*quaratine*"),
25              strings.ilike(body.current_thread.text, "*messages*"),
26              strings.ilike(body.current_thread.text, "*blocked*"),
27              strings.ilike(body.current_thread.text, "*notification*"),
28              strings.ilike(body.current_thread.text, "*kindly*")
29            )
30          )
31  )
32  and sender.email.domain.root_domain not in (
33    "bing.com",
34    "microsoft.com",
35    "microsoftonline.com",
36    "microsoftsupport.com",
37    "microsoft365.com",
38    "office.com",
39    "office365.com",
40    "onedrive.com",
41    "sharepointonline.com",
42    "yammer.com",
43  )
44  
45  // negate highly trusted sender domains unless they fail DMARC authentication
46  and (
47    (
48      sender.email.domain.root_domain in $high_trust_sender_root_domains
49      and not headers.auth_summary.dmarc.pass
50    )
51    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
52  )
53  and not profile.by_sender().solicited
54  and not profile.by_sender().any_false_positives
55    
56attack_types:
57  - "Credential Phishing"
58tactics_and_techniques:
59  - "Impersonation: Brand"
60  - "Social engineering"
61detection_methods:
62  - "Computer Vision"
63  - "Content analysis"
64  - "File analysis"
65  - "Sender analysis"
66id: "6d19527c-7ab9-5f0d-8c35-718dd30b704f"
to-top