← Back to Explore
sublimelowRule
Credential phishing: Blue button styled link with file-sharing template artifacts
Detects inbound messages containing styled blue button links commonly associated with generic file-sharing phishing templates, where the link does not point to legitimate Outlook domains.
Detection Query
type.inbound
and (
// no previous threads
length(body.previous_threads) == 0
// or is a fake thread
or (
(length(headers.references) == 0 or headers.in_reply_to is null)
and (
subject.is_reply
or subject.is_forward
or length(body.previous_threads) > 0
)
)
)
and any(filter(html.xpath(body.html, '//a[@href]').nodes,
// blue button background, background-color and observed colors
regex.icontains(.raw,
'(?:background(?:-color)?)\s*[:\s]\s*#(?:0078d4|3a78d1)'
)
),
(
// it's styled as a button
regex.icontains(.raw, 'padding')
)
// ignore links going to microsoft
and not any(.links,
(
.href_url.domain.sld in (
"microsoft",
"azure",
"outlook.office365",
"office365"
)
)
or .href_url.domain.domain in $tenant_domains
or (
.href_url.domain.root_domain in (
"mimecast.com",
"mimecastprotect.com"
)
and any(.href_url.query_params_decoded['domain'],
strings.parse_domain(.).domain in (
"microsoft.com",
"azure.com",
"outlook.office365.com",
"office365.com"
)
or strings.parse_domain(.).domain in $tenant_domains
)
)
)
)
and any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
// negate attachments that contain the known microsoft content type
and not any(attachments,
strings.icontains(.content_type, 'x-microsoft-rpmsg-message')
)
// negate microsoft emails who pass auth
and not (
sender.email.domain.root_domain == "microsoft.com"
and headers.auth_summary.dmarc.pass
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Credential phishing: Blue button styled link with file-sharing template artifacts"
description: "Detects inbound messages containing styled blue button links commonly associated with generic file-sharing phishing templates, where the link does not point to legitimate Outlook domains."
type: "rule"
severity: "low"
source: |
type.inbound
and (
// no previous threads
length(body.previous_threads) == 0
// or is a fake thread
or (
(length(headers.references) == 0 or headers.in_reply_to is null)
and (
subject.is_reply
or subject.is_forward
or length(body.previous_threads) > 0
)
)
)
and any(filter(html.xpath(body.html, '//a[@href]').nodes,
// blue button background, background-color and observed colors
regex.icontains(.raw,
'(?:background(?:-color)?)\s*[:\s]\s*#(?:0078d4|3a78d1)'
)
),
(
// it's styled as a button
regex.icontains(.raw, 'padding')
)
// ignore links going to microsoft
and not any(.links,
(
.href_url.domain.sld in (
"microsoft",
"azure",
"outlook.office365",
"office365"
)
)
or .href_url.domain.domain in $tenant_domains
or (
.href_url.domain.root_domain in (
"mimecast.com",
"mimecastprotect.com"
)
and any(.href_url.query_params_decoded['domain'],
strings.parse_domain(.).domain in (
"microsoft.com",
"azure.com",
"outlook.office365.com",
"office365.com"
)
or strings.parse_domain(.).domain in $tenant_domains
)
)
)
)
and any(ml.nlu_classifier(body.current_thread.text).intents, .name != "benign")
// negate attachments that contain the known microsoft content type
and not any(attachments,
strings.icontains(.content_type, 'x-microsoft-rpmsg-message')
)
// negate microsoft emails who pass auth
and not (
sender.email.domain.root_domain == "microsoft.com"
and headers.auth_summary.dmarc.pass
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Content analysis"
- "HTML analysis"
- "URL analysis"
id: "370f6c07-e59c-515a-9b4b-7be70b5e7284"