Brand impersonation: Sharepoint

calendar Nov 13, 2024  ยท
Share on: linkedin copy

Body, attached images or pdf contains a Sharepoint logo. The message contains a link and credential theft language.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Sharepoint"
 2description: |
 3    Body, attached images or pdf contains a Sharepoint logo. The message contains a link and credential theft language.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and length(body.links) > 0
 9  and (
10    any(attachments,
11        (.file_type in $file_types_images or .file_type == "pdf")
12        and any(ml.logo_detect(.).brands, .name == "Microsoft SharePoint")
13    )
14    or any(ml.logo_detect(beta.message_screenshot()).brands,
15           .name == "Microsoft SharePoint"
16    )
17    or strings.istarts_with(strings.replace_confusables(body.current_thread.text), "Sharepoint")
18  )
19  and (
20    (
21      any(ml.nlu_classifier(body.current_thread.text).intents,
22          .name == "cred_theft" and .confidence == "high"
23      )
24      or any(file.explode(beta.message_screenshot()),
25             any(ml.nlu_classifier(.scan.ocr.raw).intents,
26                 .name == "cred_theft" and .confidence == "high"
27             )
28      )
29    )
30    or any(ml.nlu_classifier(body.current_thread.text).entities,
31           .name == "urgency" and strings.ilike(.text, "*encrypted*")
32    )
33  )
34  and (
35    (
36      profile.by_sender().prevalence in ("new", "outlier")
37      and not profile.by_sender().solicited
38    )
39    or profile.by_sender().any_messages_malicious_or_spam
40  )
41  and not profile.by_sender().any_false_positives
42  
43  // negate highly trusted sender domains unless they fail DMARC authentication
44  and (
45    (
46      sender.email.domain.root_domain in $high_trust_sender_root_domains
47      and not headers.auth_summary.dmarc.pass
48    )
49    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
50  )  
51attack_types:
52  - "Credential Phishing"
53tactics_and_techniques:
54  - "Impersonation: Brand"
55  - "Social engineering"
56detection_methods:
57  - "Computer Vision"
58  - "Content analysis"
59  - "File analysis"
60  - "Natural Language Understanding"
61  - "Sender analysis"
62id: "284b1b70-8daa-5adf-9df8-15d4c6b5ead9"
to-top