Link: Microsoft impersonation using hosted png with suspicious link

calendar Aug 21, 2023  ·
Share on: linkedin copy

Detects messages with a link to a Microsoft hosted logo where the sender's display name and the display text of a link in the body are in all caps, and a request is being made from a first-time sender.

Sublime rule (View on GitHub)

 1name: "Link: Microsoft impersonation using hosted png with suspicious link"
 2description: |
 3  Detects messages with a link to a Microsoft hosted logo where the sender's display name
 4  and the display text of a link in the body are in all caps, and a request is being made from a first-time sender.  
 5type: "rule"
 6severity: "medium"
 7source: |
 8  type.inbound
 9
10  // display name is in all caps
11  and regex.match(sender.display_name, '[A-Z ]+')
12
13  // the sender is not microsoft
14  and sender.email.domain.root_domain not in~ ('microsoft.com', 'microsoftsupport.com', 'office.com')
15
16  // logo hosted on microsoft.com
17  and any(body.links,
18          regex.icontains(.display_url.url, '.{0,50}microsoft\.com\/.{0,70}logo.{0,25}\.png')
19  )
20
21  // and at least one link display text is in all caps
22  and any(body.links, regex.icontains(.display_text, '[VIEW|CLICK|DOWNLOAD|CHECK]'))
23
24  // request being made
25  and any(ml.nlu_classifier(body.html.inner_text).entities, .name == "request")
26
27  // sender domain matches no body domains
28  and not any(body.links,
29              .href_url.domain.root_domain == sender.email.domain.root_domain
30              and .href_url.domain.root_domain not in $tranco_1m
31  )
32
33  // org domain in the subject of the message
34  and any($org_domains, strings.icontains(subject.subject, .))
35
36  // first-time sender
37  and (
38    (
39      sender.email.domain.root_domain in $free_email_providers
40      and sender.email.email not in $sender_emails
41    )
42    or (
43      sender.email.domain.root_domain not in $free_email_providers
44      and sender.email.domain.domain not in $sender_domains
45    )
46  )  
47attack_types:
48  - "Credential Phishing"
49tactics_and_techniques:
50  - "Impersonation: Brand"
51  - "Social engineering"
52detection_methods:
53  - "Content analysis"
54  - "Natural Language Understanding"
55  - "Sender analysis"
56  - "URL analysis"
57id: "07c696d4-c58e-5252-96e2-70211f9de338"
to-top