Link: Microsoft impersonation using hosted png with suspicious link
Detects messages with a link to a Microsoft hosted logo where the sender's display name and the display text of a link in the body are in all caps, and a request is being made from a first-time sender.
Sublime rule (View on GitHub)
1name: "Link: Microsoft impersonation using hosted png with suspicious link"
2description: |
3 Detects messages with a link to a Microsoft hosted logo where the sender's display name
4 and the display text of a link in the body are in all caps, and a request is being made from a first-time sender.
5type: "rule"
6severity: "medium"
7source: |
8 type.inbound
9
10 // display name is in all caps
11 and regex.match(sender.display_name, '[A-Z ]+')
12
13 // the sender is not microsoft
14 and sender.email.domain.root_domain not in~ ('microsoft.com', 'microsoftsupport.com', 'office.com')
15
16 // logo hosted on microsoft.com
17 and any(body.links,
18 regex.icontains(.display_url.url, '.{0,50}microsoft\.com\/.{0,70}logo.{0,25}\.png')
19 )
20
21 // and at least one link display text is in all caps
22 and any(body.links, regex.icontains(.display_text, '[VIEW|CLICK|DOWNLOAD|CHECK]'))
23
24 // request being made
25 and any(ml.nlu_classifier(body.html.inner_text).entities, .name == "request")
26
27 // sender domain matches no body domains
28 and not any(body.links,
29 .href_url.domain.root_domain == sender.email.domain.root_domain
30 and .href_url.domain.root_domain not in $tranco_1m
31 )
32
33 // org domain in the subject of the message
34 and any($org_domains, strings.icontains(subject.subject, .))
35 and (
36 profile.by_sender().prevalence in ("new", "outlier")
37 or (
38 profile.by_sender().any_messages_malicious_or_spam
39 and not profile.by_sender().any_false_positives
40 )
41 )
42attack_types:
43 - "Credential Phishing"
44tactics_and_techniques:
45 - "Impersonation: Brand"
46 - "Social engineering"
47detection_methods:
48 - "Content analysis"
49 - "Natural Language Understanding"
50 - "Sender analysis"
51 - "URL analysis"
52id: "07c696d4-c58e-5252-96e2-70211f9de338"