Brand impersonation: Sharepoint

 1name: "Brand impersonation: Sharepoint"
 2description: |
 3    Body, attached images or pdf contains a Sharepoint logo. The message contains a link and credential theft language.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and length(body.links) > 0
 9  and (
10    any(attachments,
11        (.file_type in $file_types_images or .file_type == "pdf")
12        and any(ml.logo_detect(.).brands, .name == "Microsoft SharePoint")
13    )
14    or any(ml.logo_detect(beta.message_screenshot()).brands,
15           .name == "Microsoft SharePoint"
16    )
17  )
18  and (
19    any(ml.nlu_classifier(body.current_thread.text).intents,
20        .name == "cred_theft" and .confidence == "high"
21    )
22    or any(file.explode(beta.message_screenshot()),
23           any(ml.nlu_classifier(.scan.ocr.raw).intents,
24               .name == "cred_theft" and .confidence == "high"
25           )
26    )
27  )
28  and (
29    (
30      profile.by_sender().prevalence in ("new", "outlier")
31      and not profile.by_sender().solicited
32    )
33    or profile.by_sender().any_messages_malicious_or_spam
34  )
35  and not profile.by_sender().any_false_positives
36  
37  // negate highly trusted sender domains unless they fail DMARC authentication
38  and (
39    (
40      sender.email.domain.root_domain in $high_trust_sender_root_domains
41      and not headers.auth_summary.dmarc.pass
42    )
43    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
44  )  
45attack_types:
46  - "Credential Phishing"
47tactics_and_techniques:
48  - "Impersonation: Brand"
49  - "Social engineering"
50detection_methods:
51  - "Computer Vision"
52  - "Content analysis"
53  - "File analysis"
54  - "Natural Language Understanding"
55  - "Sender analysis"
56id: "284b1b70-8daa-5adf-9df8-15d4c6b5ead9"