Link: Microsoft Dynamics 365 form phishing

calendar Dec 5, 2025  ยท
Share on: linkedin copy

Email body is suspicious, and links to a Microsoft Dynamics form. Known phishing tactic.

Sublime rule (View on GitHub)

 1name: "Link: Microsoft Dynamics 365 form phishing"
 2description: |
 3    Email body is suspicious, and links to a Microsoft Dynamics form. Known phishing tactic.
 4references:
 5  - "https://cofense.com/blog/compromised-microsoft-dynamic-365-customer-voice-account-used-for-phishing-attack/"
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and any(body.links,
11          .href_url.domain.domain in (
12            "ncv.microsoft.com",
13            "customervoice.microsoft.com"
14          )
15          and ml.link_analysis(.).effective_url.domain.domain == "customervoice.microsoft.com"
16  
17          // confirm it is a form
18          and (
19            any(ml.link_analysis(.).final_dom.links,
20                .href_url.domain.domain == "cdn.forms.office.net"
21            )
22            or strings.icontains(ml.link_analysis(.).final_dom.raw,
23                                 "cdn.forms.office.net"
24            )
25            or .href_url.path == "/Pages/ResponsePage.aspx"
26          )
27  
28          // analyze for credential phishing signals
29          and (
30            //
31            // This rule makes use of a beta feature and is subject to change without notice
32            // using the beta feature in custom rules is not suggested until it has been formally released
33            //
34            any(ml.nlu_classifier(beta.ocr(ml.link_analysis(.).screenshot).text).intents,
35                .name == "cred_theft" and .confidence != "low"
36            )
37            or any(ml.nlu_classifier(body.current_thread.text).intents,
38                   .name == "cred_theft" and .confidence != "low"
39            )
40          )
41  )
42  and (
43    not profile.by_sender().solicited
44    or (
45      profile.by_sender().any_messages_malicious_or_spam
46      and not profile.by_sender().any_messages_benign
47    )
48  )
49  and not profile.by_sender().any_messages_benign
50  
51  // negate highly trusted sender domains unless they fail DMARC authentication
52  and (
53    (
54      sender.email.domain.root_domain in $high_trust_sender_root_domains
55      and not headers.auth_summary.dmarc.pass
56    )
57    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
58  )  
59attack_types:
60  - "Credential Phishing"
61tactics_and_techniques:
62  - "Evasion"
63detection_methods:
64  - "Content analysis"
65  - "File analysis"
66  - "Optical Character Recognition"
67  - "Natural Language Understanding"
68  - "URL analysis"
69  - "URL screenshot"
70id: "f72b9085-8c48-5c8c-9b0d-0ce6ef3494dc"
to-top