This rule detects a common credential phishing vector enticing the user to engage with links under the premise that they have a voicemail to retrieve.
The rule ensures at least a single link is present with either voicemail in the display name, body, subject or a combination of those elements with a medium to high credential theft NLU Intent from a first-time sender.
Detects messages with a link to a Microsoft hosted logo where the sender's display name
and the display text of a link in the body are in all caps, and a request is being made from a first-time sender.
HTML attachments containing base64-encoded files that are downloaded via embedded hyperlinks. This TTP is used by attackers
to bypass email and web filters since the file is not downloaded from an external source. Recently observed delivering Qakbot.
Attackers have used the Google Translate service to deliver links to malicious sites repackaged with a translate.goog top-level domain.
This rule identifies instances of Google Translate links from unsolicited senders.
An attacker may generate a user code and send it to a target mailbox. With an appropriate lure, the targeted user may action the device code login and provide an attacker with the means to take over their account.
This rule looks for the presence of the Microsoft device login portal link, as well as mentions of 'device code' or a 9 character alphanumeric device code value.
Message contains a suspicious Office 365 app authorization link. The app may be compromised or
was stood up for malicious purposes. Once the app has been authorized, the attacker will have
read or write permissions to the user's Office 365 account.