← Back to Explore
sublimehighRule
Brand impersonation: Microsoft quarantine release notification in image attachment
Message with an image attachment containing credential theft language and references to the Microsoft Exchange quarantine, but did not come from Microsoft.
Detection Query
type.inbound
and length(filter(attachments, .file_type not in $file_types_images)) == 0
and any(attachments,
any(file.explode(.),
(
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft" and .confidence != "low"
)
or (
length(ml.nlu_classifier(.scan.ocr.raw).intents) == 0
and length(ml.nlu_classifier(.scan.ocr.raw).entities) > 2
)
)
and (
(
any(ml.nlu_classifier(.scan.ocr.raw).entities,
.name == "urgency"
)
)
or any(ml.nlu_classifier(.scan.ocr.raw).entities,
.name == "sender" and strings.icontains(.text, "Microsoft")
)
)
)
and any(file.explode(.),
3 of (
strings.icontains(.scan.ocr.raw, "review"),
strings.icontains(.scan.ocr.raw, "release"),
strings.icontains(.scan.ocr.raw, "quarantine"),
strings.icontains(.scan.ocr.raw, "messages"),
strings.icontains(.scan.ocr.raw, "blocked"),
strings.icontains(.scan.ocr.raw, "notification"),
any(ml.logo_detect(..).brands,
strings.starts_with(.name, "Microsoft")
)
)
)
)
and sender.email.domain.root_domain not in (
"bing.com",
"microsoft.com",
"microsoftonline.com",
"microsoftsupport.com",
"microsoft365.com",
"office.com",
"onedrive.com",
"sharepointonline.com",
"yammer.com",
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().solicited
and not profile.by_sender().any_messages_benign
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand impersonation: Microsoft quarantine release notification in image attachment"
description: |
Message with an image attachment containing credential theft language and references to the Microsoft Exchange quarantine, but did not come from Microsoft.
type: "rule"
severity: "high"
source: |
type.inbound
and length(filter(attachments, .file_type not in $file_types_images)) == 0
and any(attachments,
any(file.explode(.),
(
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft" and .confidence != "low"
)
or (
length(ml.nlu_classifier(.scan.ocr.raw).intents) == 0
and length(ml.nlu_classifier(.scan.ocr.raw).entities) > 2
)
)
and (
(
any(ml.nlu_classifier(.scan.ocr.raw).entities,
.name == "urgency"
)
)
or any(ml.nlu_classifier(.scan.ocr.raw).entities,
.name == "sender" and strings.icontains(.text, "Microsoft")
)
)
)
and any(file.explode(.),
3 of (
strings.icontains(.scan.ocr.raw, "review"),
strings.icontains(.scan.ocr.raw, "release"),
strings.icontains(.scan.ocr.raw, "quarantine"),
strings.icontains(.scan.ocr.raw, "messages"),
strings.icontains(.scan.ocr.raw, "blocked"),
strings.icontains(.scan.ocr.raw, "notification"),
any(ml.logo_detect(..).brands,
strings.starts_with(.name, "Microsoft")
)
)
)
)
and sender.email.domain.root_domain not in (
"bing.com",
"microsoft.com",
"microsoftonline.com",
"microsoftsupport.com",
"microsoft365.com",
"office.com",
"onedrive.com",
"sharepointonline.com",
"yammer.com",
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().solicited
and not profile.by_sender().any_messages_benign
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Free file host"
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Computer Vision"
- "Content analysis"
- "File analysis"
- "Header analysis"
- "Natural Language Understanding"
- "Optical Character Recognition"
- "Sender analysis"
id: "185db6b3-b35c-578d-bd9f-dab0703288fe"