Brand impersonation: Sharepoint
Body, attached images or pdf contains a Sharepoint logo. The message contains a link and credential theft language.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Sharepoint"
2description: |
3 Body, attached images or pdf contains a Sharepoint logo. The message contains a link and credential theft language.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and length(body.links) > 0
9 and (
10 any(attachments,
11 (.file_type in $file_types_images or .file_type == "pdf")
12 and any(ml.logo_detect(.).brands, .name == "Microsoft SharePoint")
13 )
14 or any(ml.logo_detect(beta.message_screenshot()).brands,
15 .name == "Microsoft SharePoint"
16 )
17 or strings.istarts_with(strings.replace_confusables(body.current_thread.text),
18 "Sharepoint"
19 )
20 or regex.icontains(body.html.raw,
21 '<img.*(title=|alt=).share.*src=""'
22 ) // broken Sharepoint logo
23 )
24 and (
25 (
26 any(ml.nlu_classifier(body.current_thread.text).intents,
27 .name == "cred_theft" and .confidence == "high"
28 )
29 or any(file.explode(beta.message_screenshot()),
30 any(ml.nlu_classifier(.scan.ocr.raw).intents,
31 .name == "cred_theft" and .confidence == "high"
32 )
33 )
34 )
35 or any(ml.nlu_classifier(body.current_thread.text).entities,
36 .name == "urgency" and strings.ilike(.text, "*encrypted*")
37 )
38 )
39 and not (
40 (
41 (
42 strings.istarts_with(subject.subject, "RE:")
43 or strings.istarts_with(subject.subject, "R:")
44 or strings.istarts_with(subject.subject, "ODG:")
45 or strings.istarts_with(subject.subject, "答复:")
46 or strings.istarts_with(subject.subject, "AW:")
47 or strings.istarts_with(subject.subject, "TR:")
48 or strings.istarts_with(subject.subject, "FWD:")
49 or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
50 or regex.imatch(subject.subject,
51 '^\[?(EXT|EXTERNAL)\]?[: ]\s*(RE|FWD?|FW|AW|TR|ODG|答复):.*'
52 )
53 )
54 and (
55 (length(headers.references) > 0 or headers.in_reply_to is not null)
56 // ensure that there are actual threads
57 and (
58 length(body.previous_threads) > 0
59 or (length(body.html.display_text) - length(body.current_thread.text)) > 200
60 )
61 )
62 )
63 )
64 and (
65 profile.by_sender_email().prevalence != 'common'
66 or not profile.by_sender_email().solicited
67 or profile.by_sender().any_messages_malicious_or_spam
68 )
69 and not profile.by_sender().any_messages_benign
70
71 // negate highly trusted sender domains unless they fail DMARC authentication
72 and (
73 (
74 sender.email.domain.root_domain in $high_trust_sender_root_domains
75 and not headers.auth_summary.dmarc.pass
76 )
77 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
78 )
79
80 // negate sharepoint file share
81 and not (
82 // based on the message id format
83 (
84 (
85 strings.starts_with(headers.message_id, '<Share-')
86 and strings.ends_with(headers.message_id, '@odspnotify>')
87 )
88 or // negate legitimate access request to file
89 (
90 strings.starts_with(headers.message_id, '<Sharing')
91 and strings.ends_with(headers.message_id, '@odspnotify>')
92 )
93 // deal with Google thinking the message ID is "broke"
94 or (
95 strings.icontains(headers.message_id, 'SMTPIN_ADDED_BROKEN')
96 and any(headers.hops,
97 any(.fields,
98 .name == "X-Google-Original-Message-ID"
99 and strings.starts_with(.value, '<Share-')
100 and strings.ends_with(.value, '@odspnotify>')
101 )
102 )
103 )
104 )
105 // all of the "action" links are sharepoint/ms
106 and all(filter(body.links,
107 strings.icontains(subject.subject, .display_text)
108 or .display_text == "Open"
109 ),
110 .href_url.domain.root_domain in ("sharepoint.com")
111 or (
112 .href_url.domain.tld == "ms"
113 // Microsoft does not own the .ms TLD, this checks to ensure it is one of their domains
114 and (
115 network.whois(.href_url.domain).registrant_company == "Microsoft Corporation"
116 or strings.ilike(network.whois(.href_url.domain).registrar_name,
117 "*MarkMonitor*",
118 "*CSC Corporate*",
119 "*com laude*"
120 )
121 )
122 )
123 )
124 )
125
126attack_types:
127 - "Credential Phishing"
128tactics_and_techniques:
129 - "Impersonation: Brand"
130 - "Social engineering"
131detection_methods:
132 - "Computer Vision"
133 - "Content analysis"
134 - "File analysis"
135 - "Natural Language Understanding"
136 - "Sender analysis"
137id: "284b1b70-8daa-5adf-9df8-15d4c6b5ead9"