Credential phishing: Blue button styled link with file-sharing template artifacts

calendar Mar 9, 2026  ·
Share on: linkedin copy

Detects inbound messages containing styled blue button links commonly associated with generic file-sharing phishing templates, where the link does not point to legitimate Outlook domains.

Sublime rule (View on GitHub)

 1name: "Credential phishing: Blue button styled link with file-sharing template artifacts"
 2description: "Detects inbound messages containing styled blue button links commonly associated with generic file-sharing phishing templates, where the link does not point to legitimate Outlook domains."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and (
 8    // no previous threads
 9    length(body.previous_threads) == 0
10    // or is a fake thread
11    or (
12      (length(headers.references) == 0 or headers.in_reply_to is null)
13      and (
14        subject.is_reply
15        or subject.is_forward
16        or length(body.previous_threads) > 0
17      )
18    )
19  )
20  and any(filter(html.xpath(body.html, '//a[@href]').nodes,
21                 // blue button background, background-color and observed colors
22                 regex.icontains(.raw,
23                                 '(?:background(?:-color)?)\s*[:\s]\s*#(?:0078d4|3a78d1)'
24                 )
25          ),
26          (
27            // it's styled as a button
28            regex.icontains(.raw, 'padding')
29          )
30          // ignore links going to microsoft
31          and not any(.links,
32                      (
33                        .href_url.domain.sld in (
34                          "microsoft",
35                          "azure",
36                          "outlook.office365",
37                          "office365"
38                        )
39                      )
40                      or .href_url.domain.domain in $tenant_domains
41                      or (
42                        .href_url.domain.root_domain in (
43                          "mimecast.com",
44                          "mimecastprotect.com"
45                        )
46                        and any(.href_url.query_params_decoded['domain'],
47                                strings.parse_domain(.).domain in (
48                                  "microsoft.com",
49                                  "azure.com",
50                                  "outlook.office365.com",
51                                  "office365.com"
52                                )
53                                or strings.parse_domain(.).domain in $tenant_domains
54                        )
55                      )
56          )
57  )
58  and any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
59  // negate attachments that contain the known microsoft content type
60  and not any(attachments,
61              strings.icontains(.content_type, 'x-microsoft-rpmsg-message')
62  )
63  // negate microsoft emails who pass auth
64  and not (
65    sender.email.domain.root_domain == "microsoft.com"
66    and headers.auth_summary.dmarc.pass
67  )
68    
69attack_types:
70  - "Credential Phishing"
71tactics_and_techniques:
72  - "Impersonation: Brand"
73  - "Social engineering"
74detection_methods:
75  - "Content analysis"
76  - "HTML analysis"
77  - "URL analysis"
78id: "370f6c07-e59c-515a-9b4b-7be70b5e7284"
to-top