Brand impersonation: Sharepoint
Body, attached images or pdf contains a Sharepoint logo. The message contains a link and credential theft language.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Sharepoint"
2description: |
3 Body, attached images or pdf contains a Sharepoint logo. The message contains a link and credential theft language.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and length(body.links) > 0
9 and (
10 any(attachments,
11 (.file_type in $file_types_images or .file_type == "pdf")
12 and any(ml.logo_detect(.).brands, .name == "Microsoft SharePoint")
13 )
14 or any(ml.logo_detect(beta.message_screenshot()).brands,
15 .name == "Microsoft SharePoint"
16 )
17 )
18 and (
19 (
20 any(ml.nlu_classifier(body.current_thread.text).intents,
21 .name == "cred_theft" and .confidence == "high"
22 )
23 or any(file.explode(beta.message_screenshot()),
24 any(ml.nlu_classifier(.scan.ocr.raw).intents,
25 .name == "cred_theft" and .confidence == "high"
26 )
27 )
28 )
29 or any(ml.nlu_classifier(body.current_thread.text).entities,
30 .name == "urgency" and strings.ilike(.text, "*encrypted*")
31 )
32 )
33 and (
34 (
35 profile.by_sender().prevalence in ("new", "outlier")
36 and not profile.by_sender().solicited
37 )
38 or profile.by_sender().any_messages_malicious_or_spam
39 )
40 and not profile.by_sender().any_false_positives
41
42 // negate highly trusted sender domains unless they fail DMARC authentication
43 and (
44 (
45 sender.email.domain.root_domain in $high_trust_sender_root_domains
46 and not headers.auth_summary.dmarc.pass
47 )
48 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
49 )
50attack_types:
51 - "Credential Phishing"
52tactics_and_techniques:
53 - "Impersonation: Brand"
54 - "Social engineering"
55detection_methods:
56 - "Computer Vision"
57 - "Content analysis"
58 - "File analysis"
59 - "Natural Language Understanding"
60 - "Sender analysis"
61id: "284b1b70-8daa-5adf-9df8-15d4c6b5ead9"