Link: Microsoft impersonation using hosted png with suspicious link

 1name: "Link: Microsoft impersonation using hosted png with suspicious link"
 2description: |
 3  Detects messages with a link to a Microsoft hosted logo where the sender's display name
 4  and the display text of a link in the body are in all caps, and a request is being made from a first-time sender.  
 5type: "rule"
 6severity: "medium"
 7source: |
 8  type.inbound
 9
10  // display name is in all caps
11  and regex.match(sender.display_name, '[A-Z ]+')
12
13  // the sender is not microsoft
14  and sender.email.domain.root_domain not in~ ('microsoft.com', 'microsoftsupport.com', 'office.com')
15
16  // logo hosted on microsoft.com
17  and any(body.links,
18          regex.icontains(.display_url.url, '.{0,50}microsoft\.com\/.{0,70}logo.{0,25}\.png')
19  )
20
21  // and at least one link display text is in all caps
22  and any(body.links, regex.icontains(.display_text, '[VIEW|CLICK|DOWNLOAD|CHECK]'))
23
24  // request being made
25  and any(ml.nlu_classifier(body.html.inner_text).entities, .name == "request")
26
27  // sender domain matches no body domains
28  and not any(body.links,
29              .href_url.domain.root_domain == sender.email.domain.root_domain
30              and .href_url.domain.root_domain not in $tranco_1m
31  )
32
33  // org domain in the subject of the message
34  and any($org_domains, strings.icontains(subject.subject, .))
35  and (
36    profile.by_sender().prevalence in ("new", "outlier")
37    or (
38      profile.by_sender().any_messages_malicious_or_spam
39      and not profile.by_sender().any_false_positives
40    )
41  )  
42attack_types:
43  - "Credential Phishing"
44tactics_and_techniques:
45  - "Impersonation: Brand"
46  - "Social engineering"
47detection_methods:
48  - "Content analysis"
49  - "Natural Language Understanding"
50  - "Sender analysis"
51  - "URL analysis"
52id: "07c696d4-c58e-5252-96e2-70211f9de338"