Link: Microsoft impersonation using hosted png with suspicious link

name: "Link: Microsoft impersonation using hosted png with suspicious link"
description: |
  Detects messages with a link to a Microsoft hosted logo where the sender's display name
  and the display text of a link in the body are in all caps, and a request is being made from a first-time sender.
type: "rule"
severity: "medium"
source: |
  type.inbound
  
  // display name is in all caps
  and regex.match(sender.display_name, '[A-Z ]+')
  
  // the sender is not microsoft
  and sender.email.domain.root_domain not in~ (
    'microsoft.com',
    'microsoftsupport.com',
    'office.com'
  )
  
  // logo hosted on microsoft.com
  and any(body.links,
          regex.icontains(.display_url.url,
                          '.{0,50}microsoft\.com\/.{0,70}logo.{0,25}\.png'
          )
  )
  
  // and at least one link display text is in all caps
  and any(body.links,
          regex.icontains(.display_text, '[VIEW|CLICK|DOWNLOAD|CHECK]')
  )
  
  // request being made
  and any(ml.nlu_classifier(body.html.inner_text).entities, .name == "request")
  
  // sender domain matches no body domains
  and not any(body.links,
              .href_url.domain.root_domain == sender.email.domain.root_domain
              and .href_url.domain.root_domain not in $tranco_1m
  )
  
  // org domain in the subject of the message
  and any($org_domains, strings.icontains(subject.subject, .))
  and (
    profile.by_sender().prevalence in ("new", "outlier")
    or (
      profile.by_sender().any_messages_malicious_or_spam
      and not profile.by_sender().any_messages_benign
    )
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Natural Language Understanding"
  - "Sender analysis"
  - "URL analysis"
id: "07c696d4-c58e-5252-96e2-70211f9de338"