Link: Microsoft Dynamics 365 form phishing

 1name: "Link: Microsoft Dynamics 365 form phishing"
 2description: |
 3    Email body is suspicious, and links to a Microsoft Dynamics form. Known phishing tactic.
 4references:
 5  - "https://cofense.com/blog/compromised-microsoft-dynamic-365-customer-voice-account-used-for-phishing-attack/"
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and any(body.links,
11          .href_url.domain.domain in ("ncv.microsoft.com", "customervoice.microsoft.com")
12          and beta.linkanalysis(.).effective_url.domain.domain == "customervoice.microsoft.com"
13
14          // confirm it is a form
15          and any(beta.linkanalysis(.).final_dom.links,
16                  .href_url.domain.domain == "cdn.forms.office.net"
17          )
18
19          // analyze for credential phishing signals
20          and 1 of (
21            (
22              // analyze the link
23              any(file.explode(beta.linkanalysis(.).screenshot),
24                  any(ml.nlu_classifier(.scan.ocr.raw).intents,
25                      .name == "cred_theft" and .confidence != "low"
26                  )
27              )
28            ),
29            (
30              // analyze the HTML body
31              any(ml.nlu_classifier(body.html.display_text).intents,
32                  .name == "cred_theft" and .confidence != "low"
33              )
34            ),
35            (
36              // analyze the plain body
37              any(ml.nlu_classifier(body.plain.raw).intents,
38                  .name == "cred_theft" and .confidence != "low"
39              )
40            )
41          )
42  )  
43attack_types:
44  - "Credential Phishing"
45tactics_and_techniques:
46  - "Evasion"
47detection_methods:
48  - "Content analysis"
49  - "File analysis"
50  - "Optical Character Recognition"
51  - "Natural Language Understanding"
52  - "URL analysis"
53  - "URL screenshot"
54id: "f72b9085-8c48-5c8c-9b0d-0ce6ef3494dc"