Credential phishing: Blue button styled link with file-sharing template artifacts
Detects inbound messages containing styled blue button links commonly associated with generic file-sharing phishing templates, where the link does not point to legitimate Outlook domains.
Sublime rule (View on GitHub)
1name: "Credential phishing: Blue button styled link with file-sharing template artifacts"
2description: "Detects inbound messages containing styled blue button links commonly associated with generic file-sharing phishing templates, where the link does not point to legitimate Outlook domains."
3type: "rule"
4severity: "low"
5source: |
6 type.inbound
7 and (
8 // no previous threads
9 length(body.previous_threads) == 0
10 // or is a fake thread
11 or (
12 (length(headers.references) == 0 or headers.in_reply_to is null)
13 and (
14 subject.is_reply
15 or subject.is_forward
16 or length(body.previous_threads) > 0
17 )
18 )
19 )
20 and any(filter(html.xpath(body.html,
21 // require some styling anywhere in the anchor before running the
22 // (comparatively expensive) regex checks below
23 '//a[@href][@style or .//@style]'
24 ).nodes,
25 // blue button background, background-color and observed colors
26 regex.icontains(.raw,
27 '(?:background(?:-color)?)\s*[:\s]\s*#(?:0078d4|3a78d1)'
28 )
29 ),
30 (
31 // it's styled as a button
32 regex.icontains(.raw, 'padding')
33 )
34 // ignore links going to microsoft
35 and not any(.links,
36 (
37 .href_url.domain.sld in (
38 "microsoft",
39 "azure",
40 "outlook.office365",
41 "office365"
42 )
43 )
44 or .href_url.domain.domain in $tenant_domains
45 or (
46 .href_url.domain.root_domain in (
47 "mimecast.com",
48 "mimecastprotect.com"
49 )
50 and any(.href_url.query_params_decoded['domain'],
51 strings.parse_domain(.).domain in (
52 "microsoft.com",
53 "azure.com",
54 "outlook.office365.com",
55 "office365.com"
56 )
57 or strings.parse_domain(.).domain in $tenant_domains
58 )
59 )
60 )
61 )
62 and any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
63 // negate attachments that contain the known microsoft content type
64 and not any(attachments,
65 strings.icontains(.content_type, 'x-microsoft-rpmsg-message')
66 )
67 // negate microsoft emails who pass auth
68 and not (
69 sender.email.domain.root_domain == "microsoft.com"
70 and headers.auth_summary.dmarc.pass
71 )
72
73attack_types:
74 - "Credential Phishing"
75tactics_and_techniques:
76 - "Impersonation: Brand"
77 - "Social engineering"
78detection_methods:
79 - "Content analysis"
80 - "HTML analysis"
81 - "URL analysis"
82id: "370f6c07-e59c-515a-9b4b-7be70b5e7284"