Link: Microsoft impersonation using hosted png with suspicious link

 1name: "Link: Microsoft impersonation using hosted png with suspicious link"
 2description: |
 3  Detects messages with a link to a Microsoft hosted logo where the sender's display name
 4  and the display text of a link in the body are in all caps, and a request is being made from a first-time sender.  
 5type: "rule"
 6severity: "medium"
 7source: |
 8  type.inbound
 9  
10  // display name is in all caps
11  and regex.match(sender.display_name, '[A-Z ]+')
12  
13  // the sender is not microsoft
14  and sender.email.domain.root_domain not in~ (
15    'microsoft.com',
16    'microsoftsupport.com',
17    'office.com'
18  )
19  
20  // logo hosted on microsoft.com
21  and any(body.links,
22          regex.icontains(.display_url.url,
23                          '.{0,50}microsoft\.com\/.{0,70}logo.{0,25}\.png'
24          )
25  )
26  
27  // and at least one link display text is in all caps
28  and any(body.links,
29          regex.icontains(.display_text, '[VIEW|CLICK|DOWNLOAD|CHECK]')
30  )
31  
32  // request being made
33  and any(ml.nlu_classifier(body.html.inner_text).entities, .name == "request")
34  
35  // sender domain matches no body domains
36  and not any(body.links,
37              .href_url.domain.root_domain == sender.email.domain.root_domain
38              and .href_url.domain.root_domain not in $tranco_1m
39  )
40  
41  // org domain in the subject of the message
42  and any($org_domains, strings.icontains(subject.subject, .))
43  and (
44    profile.by_sender().prevalence in ("new", "outlier")
45    or (
46      profile.by_sender().any_messages_malicious_or_spam
47      and not profile.by_sender().any_messages_benign
48    )
49  )  
50attack_types:
51  - "Credential Phishing"
52tactics_and_techniques:
53  - "Impersonation: Brand"
54  - "Social engineering"
55detection_methods:
56  - "Content analysis"
57  - "Natural Language Understanding"
58  - "Sender analysis"
59  - "URL analysis"
60id: "07c696d4-c58e-5252-96e2-70211f9de338"