Brand impersonation: Microsoft logo in HTML with fake quarantine release notification

  1name: "Brand impersonation: Microsoft logo in HTML with fake quarantine release notification"
  2description: "A message containing a Microsoft logo generated using HTML tables and references to the Microsoft Exchange quarantine, but did not come from Microsoft."
  3type: "rule"
  4severity: "high"
  5source: |
  6  type.inbound
  7  and 0 < length(body.links) < 10
  8  // Microsoft logo via HTML table composition
  9  and (
 10    regex.icontains(body.html.raw,
 11                    '<table[^>]*>\s*<tbody[^>]*>\s*<tr[^>]*>\s*(<td[^>]*bgcolor="#[0-9A-Fa-f]{6}"[^>]*>\s*&nbsp;\s*</td>\s*){2}\s*</tr>\s*<tr[^>]*>\s*(<td[^>]*bgcolor="#[0-9A-Fa-f]{6}"[^>]*>\s*&nbsp;\s*</td>\s*){2}'
 12    )
 13    or regex.icontains(body.html.raw,
 14                       '<td style="background:\s*rgb\(246,\s*93,\s*53\);\s*height:\d+px;">.*?<td style="background:\s*rgb\(129,\s*187,\s*5\);\s*height:\d+px;">.*?<td style="background:\s*rgb\(4,\s*165,\s*240\);\s*height:\d+px;">.*?<td style="background:\s*rgb\(255,\s*186,\s*7\);\s*height:\d+px;">'
 15    )
 16    or 4 of (
 17      regex.icontains(body.html.raw,
 18                      '<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(245, 189, 67\);">.{0,10}</td>'
 19      ),
 20      regex.icontains(body.html.raw,
 21                      '<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(137, 184, 57\);">.{0,10}</td>'
 22      ),
 23      regex.icontains(body.html.raw,
 24                      '<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(217, 83, 51\);">.{0,10}</td>'
 25      ),
 26      regex.icontains(body.html.raw,
 27                      '<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(71, 160, 218\);">.{0,10}</td>'
 28      )
 29    )
 30    or regex.icontains(body.html.raw,
 31                       '<DIV[^>]*><SPAN style="[^"]*BACKGROUND-COLOR: #ff1940"></SPAN><SPAN style="[^"]*BACKGROUND-COLOR: #3eb55d"></SPAN><SPAN style="[^"]*BACKGROUND-COLOR: #04b5f0"></SPAN><SPAN style="[^"]*BACKGROUND-COLOR: #ffca07"></SPAN></DIV>'
 32    )
 33    or regex.icontains(body.html.raw,
 34                       '<span style="[^"]*background-color:\s*#FF1941;[^"]*"></span>\s*<span style="[^"]*background-color:\s*#36ba58;[^"]*"></span>\s*<span style="[^"]*background-color:\s*#04a1d6;[^"]*"></span>\s*<span style="[^"]*background-color:\s*#FFCA08;[^"]*"></span>'
 35    )
 36    or regex.icontains(body.html.raw,
 37                       '<td[^>]+background:#f25022[^>]+>.*?<td[^>]+background:#7fba00[^>]+>.*?<td[^>]+background:#01a4ef[^>]+>.*?<td[^>]+background:#ffb901[^>]+>'
 38    )
 39    or regex.icontains(body.html.raw,
 40                       '<td bgcolor="red".*?<td bgcolor="green".*?<td bgcolor="#04a5f0".*?<td bgcolor="#ffba07"'
 41    )
 42    or 4 of (
 43      regex.icontains(body.html.raw,
 44                      '<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(73, 161, 232\);">.{0,10}</td>'
 45      ),
 46      regex.icontains(body.html.raw,
 47                      '<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(224, 92, 53\);">.{0,10}</td>'
 48      ),
 49      regex.icontains(body.html.raw,
 50                      '<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(139, 183, 55\);">.{0,10}</td>'
 51      ),
 52      regex.icontains(body.html.raw,
 53                      '<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(244, 188, 65\);">.{0,10}</td>'
 54      )
 55    )
 56    or regex.icontains(body.html.raw,
 57                       '<td style="BACKGROUND-COLOR: red".*?<td style="BACKGROUND-COLOR: rgb\(19,186,132\)".*?<td style="BACKGROUND-COLOR: rgb\(4,166,240\)".*?<td style="BACKGROUND-COLOR: rgb\(255,186,8\)"'
 58    )
 59    or 4 of (
 60      regex.icontains(body.html.raw, 'background-color:rgb\(213,56,62\)'),
 61      regex.icontains(body.html.raw, 'background-color:rgb\(0,114,30\)'),
 62      regex.icontains(body.html.raw, 'background-color:rgb\(0,110,173\)'),
 63      regex.icontains(body.html.raw, 'background-color:rgb\(227,209,43\)'),
 64    )
 65    or 4 of (
 66      regex.icontains(body.html.raw, '<td[^>]*bgcolor="#F25022">&nbsp;</td>'),
 67      regex.icontains(body.html.raw, '<td[^>]*bgcolor="#7FBA00">&nbsp;</td>'),
 68      regex.icontains(body.html.raw,
 69                      '<td[^>]*(bgcolor="#00A4EF"|height="\d+")[^>]*(bgcolor="#00A4EF"|height="\d+")[^>]*>&nbsp;</td>'
 70      ),
 71      regex.icontains(body.html.raw,
 72                      '<td[^>]*(bgcolor="#FFB900"|height="\d+")[^>]*(bgcolor="#FFB900"|height="\d+")[^>]*>&nbsp;</td>'
 73      )
 74    )
 75    or regex.icontains(body.html.raw,
 76                       '<DIV[^>]*><SPAN[^>]*background-color:\s*#FF1940;[^>]*><\/SPAN><SPAN[^>]*background-color:\s*#36ba57;[^>]*><\/SPAN><SPAN[^>]*background-color:\s*#04a1d6;[^>]*><\/SPAN><SPAN[^>]*background-color:\s*#FFCA07;[^>]*><\/SPAN><\/DIV>'
 77    )
 78    or 3 of (
 79      regex.icontains(body.html.raw, '.password-expiration'),
 80      regex.icontains(body.html.raw, 'color: #2672ec;'),
 81      regex.icontains(body.html.raw, 'M­ic­ro­so­ft')
 82    )
 83    or 4 of (
 84      regex.icontains(body.html.raw, 'background-color:#FF1940;'),
 85      regex.icontains(body.html.raw, 'background-color:#3eb55d;'),
 86      regex.icontains(body.html.raw, 'background-color:#04B5F0;'),
 87      regex.icontains(body.html.raw, 'background-color:#FFCA07;'),
 88    )
 89    or 4 of (
 90      regex.icontains(body.html.raw, 'bgcolor="#eb5024"'),
 91      regex.icontains(body.html.raw, 'bgcolor="#7db606"'),
 92      regex.icontains(body.html.raw, 'bgcolor="#05a1e8"'),
 93      regex.icontains(body.html.raw, 'bgcolor="#f7b408"'),
 94    )
 95    or 4 of (
 96      regex.icontains(body.html.raw, '<td style="background: #E74F23;'),
 97      regex.icontains(body.html.raw, '<td style="background: #7AB206;'),
 98      regex.icontains(body.html.raw, '<td style="background: #059EE4;'),
 99      regex.icontains(body.html.raw, '<td style="background: #F2B108;'),
100    )
101    or 4 of (
102      regex.icontains(body.html.raw, 'background-color:rgb\(246,93,53\)'),
103      regex.icontains(body.html.raw, 'background-color:rgb\(129,187,5\)'),
104      regex.icontains(body.html.raw, 'background-color:rgb\(4,165,240\)'),
105      regex.icontains(body.html.raw, 'background-color:rgb\(255,186,7\)')
106    )
107    and 3 of (
108      strings.icontains(body.current_thread.text, "review"),
109      strings.icontains(body.current_thread.text, "release"),
110      strings.icontains(body.current_thread.text, "quarantine"),
111      strings.icontains(body.current_thread.text, "messages"),
112      strings.icontains(body.current_thread.text, "recover"),
113      strings.icontains(body.current_thread.text, "server error")
114    )
115    and sender.email.domain.root_domain not in (
116      "bing.com",
117      "microsoft.com",
118      "microsoftonline.com",
119      "microsoftsupport.com",
120      "microsoft365.com",
121      "office.com",
122      "onedrive.com",
123      "sharepointonline.com",
124      "yammer.com",
125    )
126  )
127  
128  // negate highly trusted sender domains unless they fail DMARC authentication
129  and (
130    (
131      sender.email.domain.root_domain in $high_trust_sender_root_domains
132      and (
133        any(distinct(headers.hops, .authentication_results.dmarc is not null),
134            strings.ilike(.authentication_results.dmarc, "*fail")
135        )
136      )
137    )
138    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
139  )
140  and not profile.by_sender().solicited
141  and not profile.by_sender().any_false_positives  
142
143attack_types:
144  - "Credential Phishing"
145tactics_and_techniques:
146  - "Evasion"
147  - "Impersonation: Brand"
148  - "Social engineering"
149detection_methods:
150  - "Content analysis"
151  - "HTML analysis"
152  - "Sender analysis"
153id: "f12c615c-1fd7-5b57-b41e-cb42ebf75381"