Brand impersonation: Microsoft with low reputation links

Detects low reputation links with Microsoft specific indicators in the body.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Microsoft with low reputation links"
  2description: "Detects low reputation links with Microsoft specific indicators in the body."
  3type: "rule"
  4severity: "medium"
  5source: |
  6 type.inbound
  7 // suspicious link 
  8 and any(body.links,
  9         (
 10           .href_url.domain.root_domain not in $tranco_1m
 11           or .href_url.domain.domain in $free_file_hosts
 12           or .href_url.domain.root_domain in $free_file_hosts
 13           or .href_url.domain.root_domain in $free_subdomain_hosts
 14           or .href_url.domain.domain in $url_shorteners
 15           or 
 16 
 17           // mass mailer link, masks the actual URL
 18           .href_url.domain.root_domain in (
 19             "hubspotlinks.com",
 20             "mandrillapp.com",
 21             "sendgrid.net",
 22             "rs6.net"
 23           )
 24 
 25           // Google AMP redirect
 26           or (
 27             .href_url.domain.sld == "google"
 28             and strings.starts_with(.href_url.path, "/amp/")
 29           )
 30         )
 31 
 32         // exclude sources of potential FPs
 33         and (
 34           .href_url.domain.root_domain not in (
 35             "svc.ms",
 36             "sharepoint.com",
 37             "1drv.ms",
 38             "microsoft.com",
 39             "aka.ms",
 40             "msftauthimages.net",
 41             "mimecastprotect.com",
 42             "office.com"
 43           )
 44           or any(body.links, .href_url.domain.domain in $free_file_hosts)
 45         )
 46         and .href_url.domain.root_domain not in $org_domains
 47         and .href_url.domain.valid 
 48 )
 49 
 50 // not a reply
 51 and (
 52   length(headers.references) == 0
 53   or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
 54 )
 55 
 56 // Microsoft logo
 57 and (
 58   any(attachments,
 59       .file_type in $file_types_images
 60       and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
 61   )
 62   or any(ml.logo_detect(beta.message_screenshot()).brands,
 63          strings.starts_with(.name, "Microsoft")
 64   )
 65   or (
 66     regex.icontains(body.html.raw,
 67                     '<table[^>]*>\s*<tbody[^>]*>\s*<tr[^>]*>\s*(<td[^>]*bgcolor="#[0-9A-Fa-f]{6}"[^>]*>\s*&nbsp;\s*</td>\s*){2}\s*</tr>\s*<tr[^>]*>\s*(<td[^>]*bgcolor="#[0-9A-Fa-f]{6}"[^>]*>\s*&nbsp;\s*</td>\s*){2}'
 68     )
 69     or regex.icontains(body.html.raw,
 70                        '<td style="background:\s*rgb\(246,\s*93,\s*53\);\s*height:\d+px;">.*?<td style="background:\s*rgb\(129,\s*187,\s*5\);\s*height:\d+px;">.*?<td style="background:\s*rgb\(4,\s*165,\s*240\);\s*height:\d+px;">.*?<td style="background:\s*rgb\(255,\s*186,\s*7\);\s*height:\d+px;">'
 71     )
 72     or 4 of (
 73       regex.icontains(body.html.raw,
 74                       '<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(245, 189, 67\);">.{0,10}</td>'
 75       ),
 76       regex.icontains(body.html.raw,
 77                       '<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(137, 184, 57\);">.{0,10}</td>'
 78       ),
 79       regex.icontains(body.html.raw,
 80                       '<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(217, 83, 51\);">.{0,10}</td>'
 81       ),
 82       regex.icontains(body.html.raw,
 83                       '<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(71, 160, 218\);">.{0,10}</td>'
 84       )
 85     )
 86   )
 87 )
 88 
 89 // suspicious content
 90 and (
 91   (
 92     strings.ilike(body.plain.raw,
 93                   "*password*",
 94                   "*document*",
 95                   "*voicemail*",
 96                   "*cache*",
 97                   "*fax*",
 98                   "*storage*",
 99                   "*quota*",
100                   "*message*"
101     )
102     and strings.ilike(body.plain.raw,
103                       "*terminated*",
104                       "*review*",
105                       "*expire*",
106                       "*click*",
107                       "*view*",
108                       "*exceed*",
109                       "*clear*",
110                       "*only works*",
111                       "*failed*",
112                       "*deleted*",
113                       "*revalidated*",
114                       "*renewal*"
115     )
116   )
117   or (
118     any(attachments,
119         .file_type in $file_types_images
120         and any(file.explode(.),
121                 strings.ilike(.scan.ocr.raw,
122                               "*password*",
123                               "*document*",
124                               "*voicemail*",
125                               "*cache*",
126                               "*fax*",
127                               "*storage*",
128                               "*quota*",
129                               "*messages*"
130                 )
131                 and strings.ilike(.scan.ocr.raw,
132                                   "*terminated*",
133                                   "*review*",
134                                   "*expire*",
135                                   "*click*",
136                                   "*view*",
137                                   "*exceed*",
138                                   "*clear*",
139                                   "*only works*",
140                                   "*failed*",
141                                   "*deleted*"
142                 )
143         )
144     )
145   )
146   or (
147     any(file.explode(beta.message_screenshot()),
148         strings.ilike(.scan.ocr.raw,
149                       "*password*",
150                       "*document*",
151                       "*voicemail*",
152                       "*cache*",
153                       "*fax*",
154                       "*storage*",
155                       "*quota*",
156                       "*messages*"
157         )
158         and strings.ilike(.scan.ocr.raw,
159                           "*terminated*",
160                           "*review*",
161                           "*expire*",
162                           "*click*",
163                           "*view*",
164                           "*exceed*",
165                           "*clear*",
166                           "*only works*",
167                           "*failed*",
168                           "*deleted*",
169                           "*revalidated*",
170                           "*renewal*"
171         )
172     )
173   )
174   or (
175     any(ml.nlu_classifier(body.current_thread.text).intents,
176         .name == "cred_theft" and .confidence in~ ("medium", "high")
177     )
178     or any(attachments,
179            .file_type in $file_types_images
180            and any(file.explode(.),
181                    any(ml.nlu_classifier(.scan.ocr.raw).intents,
182                        .name == "cred_theft"
183                        and .confidence in ("medium", "high")
184                    )
185            )
186     )
187   )
188 )
189 and sender.email.domain.root_domain not in (
190   "bing.com",
191   "microsoft.com",
192   "microsoftonline.com",
193   "microsoftstoreemail.com",
194   "microsoftsupport.com",
195   "microsoft365.com",
196   "office.com",
197   "office365.com",
198   "onedrive.com",
199   "sharepointonline.com",
200   "yammer.com",
201 )
202 
203  // negate highly trusted sender domains unless they fail DMARC authentication
204  and (
205    (
206      sender.email.domain.root_domain in $high_trust_sender_root_domains
207      and not headers.auth_summary.dmarc.pass
208    )
209    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
210  )
211 and (
212   not profile.by_sender().solicited
213   or (
214     profile.by_sender().any_messages_malicious_or_spam
215     and not profile.by_sender().any_false_positives
216   )
217 )
218 and not profile.by_sender().any_false_positives
219 
220 // exclude marketing jargen from ms partners
221 and not regex.icontains(body.current_thread.text,
222                         'schedul(e|ing).{0,10}(call|meeting|demo|zoom|conversation|time|tool)|book.{0,10}(meeting|demo|call|slot|time)|connect.{0,12}(with me|phone|email)|my.{0,10}(calendar|cal)|reserve.{0,10}s[pl]ot|break the ice|want to know more?|miss your chance|if you no longer wish|low-code (development|approach|solution|journey|platform)'
223 )
224  
225attack_types:
226  - "Credential Phishing"
227tactics_and_techniques:
228  - "Free file host"
229  - "Image as content"
230  - "Impersonation: Brand"
231  - "Social engineering"
232detection_methods:
233  - "Computer Vision"
234  - "Content analysis"
235  - "File analysis"
236  - "Header analysis"
237  - "Natural Language Understanding"
238  - "Optical Character Recognition"
239  - "Sender analysis"
240  - "URL analysis"
241id: "b59201b6-f253-55a6-9c0a-e1500a32a751"
to-top