Link: Microsoft Dynamics 365 form phishing

calendar Jan 27, 2026  ยท
Share on: linkedin copy

Email body is suspicious, and links to a Microsoft Dynamics form. Known phishing tactic.

Sublime rule (View on GitHub)

 1name: "Link: Microsoft Dynamics 365 form phishing"
 2description: |
 3    Email body is suspicious, and links to a Microsoft Dynamics form. Known phishing tactic.
 4references:
 5  - "https://cofense.com/blog/compromised-microsoft-dynamic-365-customer-voice-account-used-for-phishing-attack/"
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and any(body.links,
11          .href_url.domain.domain in (
12            "ncv.microsoft.com",
13            "customervoice.microsoft.com",
14            "nam.dcv.ms"
15          )
16          and ml.link_analysis(.).effective_url.domain.domain == "customervoice.microsoft.com"
17  
18          // confirm it is a form
19          and (
20            any(ml.link_analysis(.).final_dom.links,
21                .href_url.domain.domain == "cdn.forms.office.net"
22            )
23            or strings.icontains(ml.link_analysis(.).final_dom.raw,
24                                 "cdn.forms.office.net"
25            )
26            or .href_url.path == "/Pages/ResponsePage.aspx"
27          )
28  
29          // analyze for credential phishing signals
30          and (
31            //
32            // This rule makes use of a beta feature and is subject to change without notice
33            // using the beta feature in custom rules is not suggested until it has been formally released
34            //
35            any(ml.nlu_classifier(beta.ocr(ml.link_analysis(.).screenshot).text).intents,
36                .name == "cred_theft" and .confidence != "low"
37            )
38            or any(ml.nlu_classifier(body.current_thread.text).intents,
39                   .name == "cred_theft" and .confidence != "low"
40            )
41          )
42  )
43  and (
44    not profile.by_sender().solicited
45    or (
46      profile.by_sender().any_messages_malicious_or_spam
47      and not profile.by_sender().any_messages_benign
48    )
49  )
50  and not profile.by_sender().any_messages_benign
51  
52  // negate highly trusted sender domains unless they fail DMARC authentication
53  and (
54    (
55      sender.email.domain.root_domain in $high_trust_sender_root_domains
56      and not headers.auth_summary.dmarc.pass
57    )
58    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
59  )  
60attack_types:
61  - "Credential Phishing"
62tactics_and_techniques:
63  - "Evasion"
64detection_methods:
65  - "Content analysis"
66  - "File analysis"
67  - "Optical Character Recognition"
68  - "Natural Language Understanding"
69  - "URL analysis"
70  - "URL screenshot"
71id: "f72b9085-8c48-5c8c-9b0d-0ce6ef3494dc"
to-top