Credential phishing: Blue button styled link with file-sharing template artifacts

Detects inbound messages containing styled blue button links commonly associated with generic file-sharing phishing templates, where the link does not point to legitimate Outlook domains.

Sublime rule (View on GitHub)

 1name: "Credential phishing: Blue button styled link with file-sharing template artifacts"
 2description: "Detects inbound messages containing styled blue button links commonly associated with generic file-sharing phishing templates, where the link does not point to legitimate Outlook domains."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and (
 8    // no previous threads
 9    length(body.previous_threads) == 0
10    // or is a fake thread
11    or (
12      (length(headers.references) == 0 or headers.in_reply_to is null)
13      and (
14        subject.is_reply
15        or subject.is_forward
16        or length(body.previous_threads) > 0
17      )
18    )
19  )
20  and any(filter(html.xpath(body.html,
21                            // require some styling anywhere in the anchor before running the
22                            // (comparatively expensive) regex checks below
23                            '//a[@href][@style or .//@style]'
24                 ).nodes,
25                 // blue button background, background-color and observed colors
26                 regex.icontains(.raw,
27                                 '(?:background(?:-color)?)\s*[:\s]\s*#(?:0078d4|3a78d1)'
28                 )
29          ),
30          (
31            // it's styled as a button
32            regex.icontains(.raw, 'padding')
33          )
34          // ignore links going to microsoft
35          and not any(.links,
36                      (
37                        .href_url.domain.sld in (
38                          "microsoft",
39                          "azure",
40                          "outlook.office365",
41                          "office365"
42                        )
43                      )
44                      or .href_url.domain.domain in $tenant_domains
45                      or (
46                        .href_url.domain.root_domain in (
47                          "mimecast.com",
48                          "mimecastprotect.com"
49                        )
50                        and any(.href_url.query_params_decoded['domain'],
51                                strings.parse_domain(.).domain in (
52                                  "microsoft.com",
53                                  "azure.com",
54                                  "outlook.office365.com",
55                                  "office365.com"
56                                )
57                                or strings.parse_domain(.).domain in $tenant_domains
58                        )
59                      )
60          )
61  )
62  and any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
63  // negate attachments that contain the known microsoft content type
64  and not any(attachments,
65              strings.icontains(.content_type, 'x-microsoft-rpmsg-message')
66  )
67  // negate microsoft emails who pass auth
68  and not (
69    sender.email.domain.root_domain == "microsoft.com"
70    and headers.auth_summary.dmarc.pass
71  )
72    
73attack_types:
74  - "Credential Phishing"
75tactics_and_techniques:
76  - "Impersonation: Brand"
77  - "Social engineering"
78detection_methods:
79  - "Content analysis"
80  - "HTML analysis"
81  - "URL analysis"
82id: "370f6c07-e59c-515a-9b4b-7be70b5e7284"
to-top