Link: Microsoft Dynamics 365 form phishing

calendar Nov 14, 2024  ยท
Share on: linkedin copy

Email body is suspicious, and links to a Microsoft Dynamics form. Known phishing tactic.

Sublime rule (View on GitHub)

 1name: "Link: Microsoft Dynamics 365 form phishing"
 2description: |
 3    Email body is suspicious, and links to a Microsoft Dynamics form. Known phishing tactic.
 4references:
 5  - "https://cofense.com/blog/compromised-microsoft-dynamic-365-customer-voice-account-used-for-phishing-attack/"
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and any(body.links,
11          .href_url.domain.domain in ("ncv.microsoft.com", "customervoice.microsoft.com")
12          and ml.link_analysis(.).effective_url.domain.domain == "customervoice.microsoft.com"
13  
14          // confirm it is a form
15          and (
16            any(ml.link_analysis(.).final_dom.links,
17                .href_url.domain.domain == "cdn.forms.office.net"
18            )
19            or strings.icontains(ml.link_analysis(.).final_dom.raw,
20                                 "cdn.forms.office.net"
21            )
22          )
23          
24          // analyze for credential phishing signals
25          and (
26            any(file.explode(ml.link_analysis(.).screenshot),
27                any(ml.nlu_classifier(.scan.ocr.raw).intents,
28                   .name == "cred_theft" and .confidence != "low"
29                )
30            )
31            or any(ml.nlu_classifier(body.current_thread.text).intents,
32                   .name == "cred_theft" and .confidence != "low"
33            )
34          )
35  )
36
37  and (
38    not profile.by_sender().solicited
39    or (
40      profile.by_sender().any_messages_malicious_or_spam
41      and not profile.by_sender().any_false_positives
42    )
43  )
44
45  and not profile.by_sender().any_false_positives
46
47  // negate highly trusted sender domains unless they fail DMARC authentication
48  and (
49    (
50      sender.email.domain.root_domain in $high_trust_sender_root_domains
51      and not headers.auth_summary.dmarc.pass
52    )
53    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
54  )  
55attack_types:
56  - "Credential Phishing"
57tactics_and_techniques:
58  - "Evasion"
59detection_methods:
60  - "Content analysis"
61  - "File analysis"
62  - "Optical Character Recognition"
63  - "Natural Language Understanding"
64  - "URL analysis"
65  - "URL screenshot"
66id: "f72b9085-8c48-5c8c-9b0d-0ce6ef3494dc"
to-top