Brand impersonation: Microsoft with low reputation links

Detects low reputation links with Microsoft specific indicators in the body.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Microsoft with low reputation links"
  2description: "Detects low reputation links with Microsoft specific indicators in the body."
  3type: "rule"
  4severity: "medium"
  5source: |
  6 type.inbound
  7 // suspicious link
  8 and any(body.links,
  9         (
 10           .href_url.domain.root_domain not in $tranco_1m
 11           or .href_url.domain.domain in $free_file_hosts
 12           or .href_url.domain.root_domain in $free_file_hosts
 13           or .href_url.domain.root_domain in $free_subdomain_hosts
 14           or .href_url.domain.domain in $url_shorteners
 15           or 
 16 
 17           // mass mailer link, masks the actual URL
 18           .href_url.domain.root_domain in (
 19             "hubspotlinks.com",
 20             "mandrillapp.com",
 21             "sendgrid.net",
 22             "rs6.net"
 23           )
 24 
 25           // Google AMP redirect
 26           or (
 27             .href_url.domain.sld == "google"
 28             and strings.starts_with(.href_url.path, "/amp/")
 29           )
 30         )
 31 
 32         // exclude sources of potential FPs
 33         and (
 34           .href_url.domain.root_domain not in (
 35             "svc.ms",
 36             "sharepoint.com",
 37             "1drv.ms",
 38             "microsoft.com",
 39             "aka.ms",
 40             "msftauthimages.net"
 41           )
 42           or any(body.links, .href_url.domain.domain in $free_file_hosts)
 43         )
 44         and .href_url.domain.root_domain not in $org_domains
 45 )
 46 
 47 // not a reply
 48 and (
 49   length(headers.references) == 0
 50   or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
 51 )
 52 
 53 // Microsoft logo
 54 and (
 55   any(attachments,
 56       .file_type in $file_types_images
 57       and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
 58   )
 59   or any(ml.logo_detect(beta.message_screenshot()).brands,
 60          strings.starts_with(.name, "Microsoft")
 61   )
 62 )
 63 
 64 // suspicious content
 65 and (
 66   (
 67     strings.ilike(body.plain.raw,
 68                   "*password*",
 69                   "*document*",
 70                   "*voicemail*",
 71                   "*cache*",
 72                   "*fax*",
 73                   "*storage*",
 74                   "*quota*",
 75                   "*message*"
 76     )
 77     and strings.ilike(body.plain.raw,
 78                       "*terminated*",
 79                       "*review*",
 80                       "*expire*",
 81                       "*click*",
 82                       "*view*",
 83                       "*exceed*",
 84                       "*clear*",
 85                       "*only works*",
 86                       "*failed*",
 87                       "*deleted*"
 88     )
 89   )
 90   or (
 91     any(attachments,
 92         .file_type in $file_types_images
 93         and any(file.explode(.),
 94                 strings.ilike(.scan.ocr.raw,
 95                               "*password*",
 96                               "*document*",
 97                               "*voicemail*",
 98                               "*cache*",
 99                               "*fax*",
100                               "*storage*",
101                               "*quota*",
102                               "*messages*"
103                 )
104                 and strings.ilike(.scan.ocr.raw,
105                                   "*terminated*",
106                                   "*review*",
107                                   "*expire*",
108                                   "*click*",
109                                   "*view*",
110                                   "*exceed*",
111                                   "*clear*",
112                                   "*only works*",
113                                   "*failed*",
114                                   "*deleted*"
115                 )
116         )
117     )
118   )
119   or (
120     any(file.explode(beta.message_screenshot()),
121         strings.ilike(.scan.ocr.raw,
122                       "*password*",
123                       "*document*",
124                       "*voicemail*",
125                       "*cache*",
126                       "*fax*",
127                       "*storage*",
128                       "*quota*",
129                       "*messages*"
130         )
131         and strings.ilike(.scan.ocr.raw,
132                           "*terminated*",
133                           "*review*",
134                           "*expire*",
135                           "*click*",
136                           "*view*",
137                           "*exceed*",
138                           "*clear*",
139                           "*only works*",
140                           "*failed*",
141                           "*deleted*"
142         )
143     )
144   )
145 )
146 and (
147   any(ml.nlu_classifier(body.current_thread.text).intents,
148       .name == "cred_theft" and .confidence in~ ("medium", "high")
149   )
150   or any(attachments,
151          .file_type in $file_types_images
152          and any(file.explode(.),
153                  any(ml.nlu_classifier(.scan.ocr.raw).intents,
154                      .name == "cred_theft" and .confidence in ("medium", "high")
155                  )
156          )
157   )
158   or (
159     any(ml.nlu_classifier(body.html.inner_text).entities, .name == "urgency")
160     and not any(ml.nlu_classifier(body.current_thread.text).intents,
161                 .name == "benign" and .confidence == "high"
162     )
163   )
164 )
165 and sender.email.domain.root_domain not in (
166   "bing.com",
167   "microsoft.com",
168   "microsoftonline.com",
169   "microsoftsupport.com",
170   "microsoft365.com",
171   "office.com",
172   "onedrive.com",
173   "sharepointonline.com",
174   "yammer.com"
175 )
176 
177 // negate highly trusted sender domains unless they fail DMARC authentication
178 and (
179   (
180     sender.email.domain.root_domain in $high_trust_sender_root_domains
181     and (
182       any(distinct(headers.hops, .authentication_results.dmarc is not null),
183           strings.ilike(.authentication_results.dmarc, "*fail")
184       )
185     )
186   )
187   or sender.email.domain.root_domain not in $high_trust_sender_root_domains
188 )
189
190 and (
191    (
192      not profile.by_sender().solicited
193    )
194    or (
195      profile.by_sender().any_messages_malicious_or_spam
196      and not profile.by_sender().any_false_positives
197    )
198 )
199 and not profile.by_sender().any_false_positives 
200
201attack_types:
202  - "Credential Phishing"
203tactics_and_techniques:
204  - "Free file host"
205  - "Image as content"
206  - "Impersonation: Brand"
207  - "Social engineering"
208detection_methods:
209  - "Computer Vision"
210  - "Content analysis"
211  - "File analysis"
212  - "Header analysis"
213  - "Natural Language Understanding"
214  - "Optical Character Recognition"
215  - "Sender analysis"
216  - "URL analysis"
217id: "b59201b6-f253-55a6-9c0a-e1500a32a751"
to-top