Brand impersonation: Sharepoint

Body, attached images or pdf contains a Sharepoint logo. The message contains a link and credential theft language.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Sharepoint"
 2description: |
 3    Body, attached images or pdf contains a Sharepoint logo. The message contains a link and credential theft language.
 4type: "rule"
 5severity: "high"
 6source: |
 7  type.inbound
 8  and length(body.links) > 0
 9  and (
10    any(attachments,
11        (.file_type in $file_types_images or .file_type == "pdf")
12        and any(ml.logo_detect(.).brands, .name == "Microsoft SharePoint")
13    )
14    or any(ml.logo_detect(beta.message_screenshot()).brands, .name == "Microsoft SharePoint")
15  )
16  and (
17    any(ml.nlu_classifier(body.current_thread.text).intents,
18        .name == "cred_theft" and .confidence == "high"
19    )
20    or any(file.explode(beta.message_screenshot()),
21           any(ml.nlu_classifier(.scan.ocr.raw).intents,
22               .name == "cred_theft" and .confidence == "high"
23           )
24    )
25  )  
26attack_types:
27  - "Credential Phishing"
28tactics_and_techniques:
29  - "Impersonation: Brand"
30  - "Social engineering"
31detection_methods:
32  - "Computer Vision"
33  - "Content analysis"
34  - "File analysis"
35  - "Natural Language Understanding"
36  - "Sender analysis"
37id: "284b1b70-8daa-5adf-9df8-15d4c6b5ead9"
to-top