Link: Microsoft Dynamics 365 form phishing
Email body is suspicious, and links to a Microsoft Dynamics form. Known phishing tactic.
Sublime rule (View on GitHub)
1name: "Link: Microsoft Dynamics 365 form phishing"
2description: |
3 Email body is suspicious, and links to a Microsoft Dynamics form. Known phishing tactic.
4references:
5 - "https://cofense.com/blog/compromised-microsoft-dynamic-365-customer-voice-account-used-for-phishing-attack/"
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and any(body.links,
11 .href_url.domain.domain in ("ncv.microsoft.com", "customervoice.microsoft.com")
12 and ml.link_analysis(.).effective_url.domain.domain == "customervoice.microsoft.com"
13
14 // confirm it is a form
15 and any(ml.link_analysis(.).final_dom.links,
16 .href_url.domain.domain == "cdn.forms.office.net"
17 )
18
19 // analyze for credential phishing signals
20 and (
21 any(file.explode(ml.link_analysis(.).screenshot),
22 any(ml.nlu_classifier(.scan.ocr.raw).intents,
23 .name == "cred_theft" and .confidence != "low"
24 )
25 )
26 or any(ml.nlu_classifier(body.current_thread.text).intents,
27 .name == "cred_theft" and .confidence != "low"
28 )
29 )
30 )
31
32 and (
33 not profile.by_sender().solicited
34 or (
35 profile.by_sender().any_messages_malicious_or_spam
36 and not profile.by_sender().any_false_positives
37 )
38 )
39
40 and not profile.by_sender().any_false_positives
41
42 // negate highly trusted sender domains unless they fail DMARC authentication
43 and (
44 (
45 sender.email.domain.root_domain in $high_trust_sender_root_domains
46 and not headers.auth_summary.dmarc.pass
47 )
48 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
49 )
50attack_types:
51 - "Credential Phishing"
52tactics_and_techniques:
53 - "Evasion"
54detection_methods:
55 - "Content analysis"
56 - "File analysis"
57 - "Optical Character Recognition"
58 - "Natural Language Understanding"
59 - "URL analysis"
60 - "URL screenshot"
61id: "f72b9085-8c48-5c8c-9b0d-0ce6ef3494dc"