Brand impersonation: Microsoft with low reputation links
Detects low reputation links with Microsoft specific indicators in the body.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Microsoft with low reputation links"
2description: "Detects low reputation links with Microsoft specific indicators in the body."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 // suspicious link
8 and any(body.links,
9 (
10 .href_url.domain.root_domain not in $tranco_1m
11 or .href_url.domain.domain in $free_file_hosts
12 or .href_url.domain.root_domain in $free_file_hosts
13 or .href_url.domain.root_domain in $free_subdomain_hosts
14 or .href_url.domain.domain in $url_shorteners
15 or
16
17 // mass mailer link, masks the actual URL
18 .href_url.domain.root_domain in (
19 "hubspotlinks.com",
20 "mandrillapp.com",
21 "sendgrid.net",
22 "rs6.net"
23 )
24
25 // Google AMP redirect
26 or (
27 .href_url.domain.sld == "google"
28 and strings.starts_with(.href_url.path, "/amp/")
29 )
30 )
31
32 // exclude sources of potential FPs
33 and (
34 .href_url.domain.root_domain not in (
35 "svc.ms",
36 "sharepoint.com",
37 "1drv.ms",
38 "microsoft.com",
39 "aka.ms",
40 "msftauthimages.net"
41 )
42 or any(body.links, .href_url.domain.domain in $free_file_hosts)
43 )
44 and .href_url.domain.root_domain not in $org_domains
45 )
46
47 // not a reply
48 and (
49 length(headers.references) == 0
50 or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
51 )
52
53 // Microsoft logo
54 and (
55 any(attachments,
56 .file_type in $file_types_images
57 and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
58 )
59 or any(ml.logo_detect(beta.message_screenshot()).brands,
60 strings.starts_with(.name, "Microsoft")
61 )
62 )
63
64 // suspicious content
65 and (
66 (
67 strings.ilike(body.plain.raw,
68 "*password*",
69 "*document*",
70 "*voicemail*",
71 "*cache*",
72 "*fax*",
73 "*storage*",
74 "*quota*",
75 "*message*"
76 )
77 and strings.ilike(body.plain.raw,
78 "*terminated*",
79 "*review*",
80 "*expire*",
81 "*click*",
82 "*view*",
83 "*exceed*",
84 "*clear*",
85 "*only works*",
86 "*failed*",
87 "*deleted*"
88 )
89 )
90 or (
91 any(attachments,
92 .file_type in $file_types_images
93 and any(file.explode(.),
94 strings.ilike(.scan.ocr.raw,
95 "*password*",
96 "*document*",
97 "*voicemail*",
98 "*cache*",
99 "*fax*",
100 "*storage*",
101 "*quota*",
102 "*messages*"
103 )
104 and strings.ilike(.scan.ocr.raw,
105 "*terminated*",
106 "*review*",
107 "*expire*",
108 "*click*",
109 "*view*",
110 "*exceed*",
111 "*clear*",
112 "*only works*",
113 "*failed*",
114 "*deleted*"
115 )
116 )
117 )
118 )
119 or (
120 any(file.explode(beta.message_screenshot()),
121 strings.ilike(.scan.ocr.raw,
122 "*password*",
123 "*document*",
124 "*voicemail*",
125 "*cache*",
126 "*fax*",
127 "*storage*",
128 "*quota*",
129 "*messages*"
130 )
131 and strings.ilike(.scan.ocr.raw,
132 "*terminated*",
133 "*review*",
134 "*expire*",
135 "*click*",
136 "*view*",
137 "*exceed*",
138 "*clear*",
139 "*only works*",
140 "*failed*",
141 "*deleted*"
142 )
143 )
144 )
145 )
146 and (
147 any(ml.nlu_classifier(body.current_thread.text).intents,
148 .name == "cred_theft" and .confidence in~ ("medium", "high")
149 )
150 or any(attachments,
151 .file_type in $file_types_images
152 and any(file.explode(.),
153 any(ml.nlu_classifier(.scan.ocr.raw).intents,
154 .name == "cred_theft" and .confidence in ("medium", "high")
155 )
156 )
157 )
158 or (
159 any(ml.nlu_classifier(body.html.inner_text).entities, .name == "urgency")
160 and not any(ml.nlu_classifier(body.current_thread.text).intents,
161 .name == "benign" and .confidence == "high"
162 )
163 )
164 )
165 and sender.email.domain.root_domain not in (
166 "bing.com",
167 "microsoft.com",
168 "microsoftonline.com",
169 "microsoftsupport.com",
170 "microsoft365.com",
171 "office.com",
172 "onedrive.com",
173 "sharepointonline.com",
174 "yammer.com"
175 )
176
177 // negate highly trusted sender domains unless they fail DMARC authentication
178 and (
179 (
180 sender.email.domain.root_domain in $high_trust_sender_root_domains
181 and (
182 any(distinct(headers.hops, .authentication_results.dmarc is not null),
183 strings.ilike(.authentication_results.dmarc, "*fail")
184 )
185 )
186 )
187 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
188 )
189
190 and (
191 (
192 not profile.by_sender().solicited
193 )
194 or (
195 profile.by_sender().any_messages_malicious_or_spam
196 and not profile.by_sender().any_false_positives
197 )
198 )
199 and not profile.by_sender().any_false_positives
200
201attack_types:
202 - "Credential Phishing"
203tactics_and_techniques:
204 - "Free file host"
205 - "Image as content"
206 - "Impersonation: Brand"
207 - "Social engineering"
208detection_methods:
209 - "Computer Vision"
210 - "Content analysis"
211 - "File analysis"
212 - "Header analysis"
213 - "Natural Language Understanding"
214 - "Optical Character Recognition"
215 - "Sender analysis"
216 - "URL analysis"
217id: "b59201b6-f253-55a6-9c0a-e1500a32a751"