Link: Microsoft protected message with matching sender and recipient addresses

Detects when a user receives a protected message (RPMSG) with the to and from headers matching.

Sublime rule (View on GitHub)

 1name: "Link: Microsoft protected message with matching sender and recipient addresses"
 2description: "Detects when a user receives a protected message (RPMSG) with the to and from headers matching."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // contains the rpmsg
 8  and any(attachments,
 9          .file_extension == "rpmsg"
10          or .content_type == "application/x-microsoft-rpmsg-message"
11  )
12  // contains the proper link
13  and any(body.links,
14          .href_url.domain.root_domain == "office365.com"
15          and (
16              strings.icontains(.href_url.query_params, "InternetMessageID=")
17              or strings.icontains(.href_url.path, '/Encryption/retrieve.ashx')
18          )
19  )
20  // the To and From headers are the same
21  and length(recipients.to) == 1 
22  and all(recipients.to, .email.email == sender.email.email)  
23tags:
24 - "Attack surface reduction"
25attack_types:
26  - "Credential Phishing"
27tactics_and_techniques:
28  - "Evasion"
29  - "Social engineering"
30detection_methods:
31  - "Content analysis"
32  - "File analysis"
33  - "Header analysis"
34  - "Sender analysis"
35  - "URL analysis"
36id: "a5a2f75d-88a2-5c19-9b83-fa55c2bd3ccf"

Related rules

to-top