Suspicious Office 365 app authorization (OAuth) link

 1name: "Suspicious Office 365 app authorization (OAuth) link"
 2description: |
 3  Message contains a suspicious Office 365 app authorization (OAuth) link. The app may be compromised or 
 4  was stood up for malicious purposes. Once the app has been authorized, the attacker will have 
 5  read or write permissions to the user's Office 365 account.  
 6references:
 7  - "https://info.phishlabs.com/blog/office-365-phishing-uses-malicious-app-persist-password-reset"
 8type: "rule"
 9severity: "high"
10source: |
11  type.inbound
12  and (
13    // links in email body
14    any(body.links,
15        .href_url.domain.domain == 'login.microsoftonline.com'
16        and (
17          strings.ilike(.href_url.query_params,
18                        '*offline_access*',
19                        '*.readwrite*',
20                        '*.read*',
21                        '*ctx=*',
22                        '*prompt=none*'
23          )
24          or (
25            strings.icontains(.href_url.path, '/common/reprocess')
26            and strings.icontains(.href_url.query_params, 'ctx=')
27            and strings.icontains(.href_url.query_params, 'sessionId=')
28          )
29        )
30    )
31    // links in PDF, HTML, DOCX and PPTX attachments
32    or any(filter(attachments, .file_type in ("pdf", "html", "docx", "pptx")),
33           any(file.explode(.),
34               any(.scan.url.urls,
35                   .domain.domain == 'login.microsoftonline.com'
36                   and (
37                     strings.ilike(.query_params,
38                                   '*offline_access*',
39                                   '*.readwrite*',
40                                   '*.read*',
41                                   '*ctx=*',
42                                   '*prompt=none*'
43                     )
44                     or (
45                       strings.icontains(.path, '/common/reprocess')
46                       and strings.icontains(.query_params, 'ctx=')
47                       and strings.icontains(.query_params, 'sessionId=')
48                     )
49                   )
50               )
51           )
52    )
53    or any(attachments,
54           (
55             .file_type == "ics"
56             or .file_extension == "ics"
57             or .content_type in ("application/ics", "text/calendar")
58           )
59           //
60           // This rule makes use of a beta feature and is subject to change without notice
61           // using the beta feature in custom rules is not suggested until it has been formally released
62           //
63           and any(beta.file.parse_ics(.).events,
64                   any(.links,
65                       .href_url.domain.domain == 'login.microsoftonline.com'
66                       and (
67                         strings.ilike(.href_url.query_params,
68                                       '*offline_access*',
69                                       '*.readwrite*',
70                                       '*.read*',
71                                       '*ctx=*',
72                                       '*prompt=none*'
73                         )
74                         or (
75                           strings.icontains(.href_url.path, '/common/reprocess')
76                           and strings.icontains(.href_url.query_params, 'ctx=')
77                           and strings.icontains(.href_url.query_params,
78                                                 'sessionId='
79                           )
80                         )
81                       )
82                   )
83           )
84    )
85  )  
86attack_types:
87  - "Credential Phishing"
88detection_methods:
89  - "URL analysis"
90id: "13a8c430-3e62-5c8f-86b5-3722599bead4"