Brand impersonation: Sharepoint

calendar Dec 20, 2024  ยท
Share on: linkedin copy

Body, attached images or pdf contains a Sharepoint logo. The message contains a link and credential theft language.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Sharepoint"
 2description: |
 3    Body, attached images or pdf contains a Sharepoint logo. The message contains a link and credential theft language.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and length(body.links) > 0
 9  and (
10    any(attachments,
11        (.file_type in $file_types_images or .file_type == "pdf")
12        and any(ml.logo_detect(.).brands, .name == "Microsoft SharePoint")
13    )
14    or any(ml.logo_detect(beta.message_screenshot()).brands,
15           .name == "Microsoft SharePoint"
16    )
17    or strings.istarts_with(strings.replace_confusables(body.current_thread.text), "Sharepoint")
18    or regex.icontains(body.html.raw, '<img.*(title=|alt=).share.*src=""')  // broken Sharepoint logo
19  )
20  and (
21    (
22      any(ml.nlu_classifier(body.current_thread.text).intents,
23          .name == "cred_theft" and .confidence == "high"
24      )
25      or any(file.explode(beta.message_screenshot()),
26             any(ml.nlu_classifier(.scan.ocr.raw).intents,
27                 .name == "cred_theft" and .confidence == "high"
28             )
29      )
30    )
31    or any(ml.nlu_classifier(body.current_thread.text).entities,
32           .name == "urgency" and strings.ilike(.text, "*encrypted*")
33    )
34  )
35  and (
36    profile.by_sender_email().prevalence != 'common'
37    or not profile.by_sender_email().solicited
38    or profile.by_sender().any_messages_malicious_or_spam
39  )
40  and not profile.by_sender().any_false_positives
41  
42  // negate highly trusted sender domains unless they fail DMARC authentication
43  and (
44    (
45      sender.email.domain.root_domain in $high_trust_sender_root_domains
46      and not headers.auth_summary.dmarc.pass
47    )
48    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
49  )  
50attack_types:
51  - "Credential Phishing"
52tactics_and_techniques:
53  - "Impersonation: Brand"
54  - "Social engineering"
55detection_methods:
56  - "Computer Vision"
57  - "Content analysis"
58  - "File analysis"
59  - "Natural Language Understanding"
60  - "Sender analysis"
61id: "284b1b70-8daa-5adf-9df8-15d4c6b5ead9"
to-top