Brand impersonation: Sharepoint
Body, attached images or pdf contains a Sharepoint logo. The message contains a link and credential theft language.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Sharepoint"
2description: |
3 Body, attached images or pdf contains a Sharepoint logo. The message contains a link and credential theft language.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and length(body.links) > 0
9 and (
10 any(attachments,
11 (.file_type in $file_types_images or .file_type == "pdf")
12 and any(ml.logo_detect(.).brands, .name == "Microsoft SharePoint")
13 )
14 or any(ml.logo_detect(beta.message_screenshot()).brands,
15 .name == "Microsoft SharePoint"
16 )
17 )
18 and (
19 any(ml.nlu_classifier(body.current_thread.text).intents,
20 .name == "cred_theft" and .confidence == "high"
21 )
22 or any(file.explode(beta.message_screenshot()),
23 any(ml.nlu_classifier(.scan.ocr.raw).intents,
24 .name == "cred_theft" and .confidence == "high"
25 )
26 )
27 )
28 and (
29 (
30 profile.by_sender().prevalence in ("new", "outlier")
31 and not profile.by_sender().solicited
32 )
33 or profile.by_sender().any_messages_malicious_or_spam
34 )
35 and not profile.by_sender().any_false_positives
36
37 // negate highly trusted sender domains unless they fail DMARC authentication
38 and (
39 (
40 sender.email.domain.root_domain in $high_trust_sender_root_domains
41 and not headers.auth_summary.dmarc.pass
42 )
43 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
44 )
45attack_types:
46 - "Credential Phishing"
47tactics_and_techniques:
48 - "Impersonation: Brand"
49 - "Social engineering"
50detection_methods:
51 - "Computer Vision"
52 - "Content analysis"
53 - "File analysis"
54 - "Natural Language Understanding"
55 - "Sender analysis"
56id: "284b1b70-8daa-5adf-9df8-15d4c6b5ead9"