Link: Microsoft protected message with matching sender and recipient addresses
Detects when a user receives a protected message (RPMSG) with the to and from headers matching.
Sublime rule (View on GitHub)
1name: "Link: Microsoft protected message with matching sender and recipient addresses"
2description: "Detects when a user receives a protected message (RPMSG) with the to and from headers matching."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 // contains the rpmsg
8 and any(attachments,
9 .file_extension == "rpmsg"
10 or .content_type == "application/x-microsoft-rpmsg-message"
11 )
12 // contains the proper link
13 and any(body.links,
14 .href_url.domain.root_domain == "office365.com"
15 and (
16 strings.icontains(.href_url.query_params, "InternetMessageID=")
17 or strings.icontains(.href_url.path, '/Encryption/retrieve.ashx')
18 )
19 )
20 // the To and From headers are the same
21 and length(recipients.to) == 1
22 and all(recipients.to, .email.email == sender.email.email)
23tags:
24 - "Attack surface reduction"
25attack_types:
26 - "Credential Phishing"
27tactics_and_techniques:
28 - "Evasion"
29 - "Social engineering"
30detection_methods:
31 - "Content analysis"
32 - "File analysis"
33 - "Header analysis"
34 - "Sender analysis"
35 - "URL analysis"
36id: "a5a2f75d-88a2-5c19-9b83-fa55c2bd3ccf"