Brand impersonation: Microsoft quarantine release notification in body

Message containing suspicious quarantine release language in the body, and a Microsoft logo attachment but did not come from Microsoft.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Microsoft quarantine release notification in body"
 2description: "Message containing suspicious quarantine release language in the body, and a Microsoft logo attachment but did not come from Microsoft."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(filter(attachments, .file_type not in $file_types_images)) == 0
 8  and any(attachments,
 9          any(file.explode(.),
10              (
11                // attachment is most likely only a logo 
12                (
13                  length(.scan.ocr.raw) < 15 or .scan.ocr.raw is null
14                )
15                and any(ml.logo_detect(..).brands,
16                        strings.starts_with(.name, "Microsoft")
17                )
18              )
19          )
20          and (
21            3 of (
22              strings.ilike(body.current_thread.text, "*review*"),
23              strings.ilike(body.current_thread.text, "*release*"),
24              strings.ilike(body.current_thread.text, "*quaratine*"),
25              strings.ilike(body.current_thread.text, "*messages*"),
26              strings.ilike(body.current_thread.text, "*blocked*"),
27              strings.ilike(body.current_thread.text, "*notification*"),
28              strings.ilike(body.current_thread.text, "*kindly*")
29            )
30          )
31  )
32  and sender.email.domain.root_domain not in (
33    "bing.com",
34    "microsoft.com",
35    "microsoftonline.com",
36    "microsoftsupport.com",
37    "microsoft365.com",
38    "office.com",
39    "onedrive.com",
40    "sharepointonline.com",
41    "yammer.com",
42  )
43  
44  // negate highly trusted sender domains unless they fail DMARC authentication
45  and (
46    (
47      sender.email.domain.root_domain in $high_trust_sender_root_domains
48      and not headers.auth_summary.dmarc.pass
49    )
50    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
51  )
52  and not profile.by_sender().solicited
53  and not profile.by_sender().any_false_positives
54    
55attack_types:
56  - "Credential Phishing"
57tactics_and_techniques:
58  - "Impersonation: Brand"
59  - "Social engineering"
60detection_methods:
61  - "Computer Vision"
62  - "Content analysis"
63  - "File analysis"
64  - "Sender analysis"
65id: "6d19527c-7ab9-5f0d-8c35-718dd30b704f"
to-top