EXPLORE
Sign In
← Back to Explore
sublimehighRule

Brand impersonation: Microsoft logo or suspicious language with open redirect

Message contains a Microsoft logo or suspicious terms and use of an open redirect. This has been exploited in the wild to impersonate Microsoft.

MITRE ATT&CK

T1566.002T1534T1656T1598.003T1566T1598
initial-access

Detection Query

type.inbound
and (length(attachments) < 5 or length(body.links) < 10)
// Microsoft logo
and (
  any(attachments,
      .file_type in $file_types_images
      and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
  )
  or any(attachments,
         .file_type in $file_types_images
         and (
           any(file.explode(.),
               2 of (
                 strings.ilike(.scan.ocr.raw, "*password*"),
                 strings.ilike(.scan.ocr.raw, "*unread messages*"),
                 strings.ilike(.scan.ocr.raw, "*Shared Documents*"),
                 strings.ilike(.scan.ocr.raw, "*expiration*"),
                 strings.ilike(.scan.ocr.raw, "*office*"),
                 strings.ilike(.scan.ocr.raw, "*expire*"),
                 strings.ilike(.scan.ocr.raw, "*expiring*"),
                 strings.ilike(.scan.ocr.raw, "*kindly*"),
                 strings.ilike(.scan.ocr.raw, "*renew*"),
                 strings.ilike(.scan.ocr.raw, "*review"),
                 strings.ilike(.scan.ocr.raw, "*emails failed*"),
                 strings.ilike(.scan.ocr.raw, "*kicked out*"),
                 strings.ilike(.scan.ocr.raw, "*prevented*"),
                 strings.ilike(.scan.ocr.raw, "*storage quota*"),
                 strings.ilike(.scan.ocr.raw, "*required now"),
                 strings.ilike(.scan.ocr.raw, "*cache*"),
                 strings.ilike(.scan.ocr.raw, "*qr code*"),
                 strings.ilike(.scan.ocr.raw, "*barcode*"),
                 strings.ilike(.scan.ocr.raw, "*security update*"),
                 strings.ilike(.scan.ocr.raw, "*quarantine*")
               )
           )
         )
  )
)

// open redirect
and any(body.links,
        any(.href_url.rewrite.encoders, strings.icontains(., "open_redirect"))
        and not .href_url.domain.root_domain in $org_domains
)
and (
  not profile.by_sender().solicited
  or profile.by_sender().any_messages_malicious_or_spam
)
and not (
  length(headers.references) > 0
  or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
and sender.email.domain.root_domain not in $org_domains
and sender.email.domain.root_domain not in (
  "bing.com",
  "microsoft.com",
  "microsoftonline.com",
  "microsoftstoreemail.com",
  "microsoftsupport.com",
  "microsoft365.com",
  "office.com",
  "onedrive.com",
  "sharepointonline.com",
  "yammer.com"
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Brand impersonation: Microsoft logo or suspicious language with open redirect"
description: |
  Message contains a Microsoft logo or suspicious terms and use of an open redirect. This has been exploited in the wild to impersonate Microsoft.
type: "rule"
severity: "high"
source: |
  type.inbound
  and (length(attachments) < 5 or length(body.links) < 10)
  // Microsoft logo
  and (
    any(attachments,
        .file_type in $file_types_images
        and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
    )
    or any(attachments,
           .file_type in $file_types_images
           and (
             any(file.explode(.),
                 2 of (
                   strings.ilike(.scan.ocr.raw, "*password*"),
                   strings.ilike(.scan.ocr.raw, "*unread messages*"),
                   strings.ilike(.scan.ocr.raw, "*Shared Documents*"),
                   strings.ilike(.scan.ocr.raw, "*expiration*"),
                   strings.ilike(.scan.ocr.raw, "*office*"),
                   strings.ilike(.scan.ocr.raw, "*expire*"),
                   strings.ilike(.scan.ocr.raw, "*expiring*"),
                   strings.ilike(.scan.ocr.raw, "*kindly*"),
                   strings.ilike(.scan.ocr.raw, "*renew*"),
                   strings.ilike(.scan.ocr.raw, "*review"),
                   strings.ilike(.scan.ocr.raw, "*emails failed*"),
                   strings.ilike(.scan.ocr.raw, "*kicked out*"),
                   strings.ilike(.scan.ocr.raw, "*prevented*"),
                   strings.ilike(.scan.ocr.raw, "*storage quota*"),
                   strings.ilike(.scan.ocr.raw, "*required now"),
                   strings.ilike(.scan.ocr.raw, "*cache*"),
                   strings.ilike(.scan.ocr.raw, "*qr code*"),
                   strings.ilike(.scan.ocr.raw, "*barcode*"),
                   strings.ilike(.scan.ocr.raw, "*security update*"),
                   strings.ilike(.scan.ocr.raw, "*quarantine*")
                 )
             )
           )
    )
  )
  
  // open redirect
  and any(body.links,
          any(.href_url.rewrite.encoders, strings.icontains(., "open_redirect"))
          and not .href_url.domain.root_domain in $org_domains
  )
  and (
    not profile.by_sender().solicited
    or profile.by_sender().any_messages_malicious_or_spam
  )
  and not (
    length(headers.references) > 0
    or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
  )
  and sender.email.domain.root_domain not in $org_domains
  and sender.email.domain.root_domain not in (
    "bing.com",
    "microsoft.com",
    "microsoftonline.com",
    "microsoftstoreemail.com",
    "microsoftsupport.com",
    "microsoft365.com",
    "office.com",
    "onedrive.com",
    "sharepointonline.com",
    "yammer.com"
  )

attack_types:
  - "BEC/Fraud"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Open redirect"
  - "Social engineering"
detection_methods:
  - "Computer Vision"
  - "Content analysis"
  - "Header analysis"
  - "Natural Language Understanding"
  - "Sender analysis"
  - "URL analysis"
id: "27b8d8d8-a117-5d34-b4b0-9adb7c7c971e"