Brand impersonation: Microsoft Teams

calendar Dec 3, 2024  ยท
Share on: linkedin copy

Impersonation of a Microsoft Teams message.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Microsoft Teams"
 2description: |
 3    Impersonation of a Microsoft Teams message.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and length(filter(attachments,
 9                    .file_type in $file_types_images or .file_type == "pdf"
10             )
11  ) < 10
12  and any(attachments,
13          (.file_type in $file_types_images or .file_type == "pdf")
14          and any(file.explode(.),
15                  regex.icontains(.scan.ocr.raw,
16                                  "trying to reach you.*microsoft teams"
17                  )
18          )
19  )
20  and sender.email.domain.root_domain not in (
21    "microsoft.com",
22    "microsoftsupport.com",
23    "office.com"
24  )  
25attack_types:
26  - "Credential Phishing"
27tactics_and_techniques:
28  - "Impersonation: Brand"
29  - "Social engineering"
30detection_methods:
31  - "Content analysis"
32  - "File analysis"
33  - "Optical Character Recognition"
34  - "Sender analysis"
35id: "9cd53055-8e1a-5a45-b78f-34a62f0793dd"
to-top