← Back to Explore
sublimehighRule
Brand impersonation: Microsoft with embedded logo and credential theft language
This rule detects messages impersonating Microsoft via a logo and contains credential theft language. From a new and unsolicited sender.
Detection Query
type.inbound
and (
(
length(attachments) > 0
and all(attachments,
.file_type in $file_types_images or .file_type == "pdf"
)
)
or length(attachments) == 0
)
and any(ml.logo_detect(file.message_screenshot()).brands,
strings.starts_with(.name, "Microsoft")
)
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
or (
length(body.current_thread.text) == 0
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
and any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
)
)
and (
not (
headers.auth_summary.dmarc.pass
and headers.auth_summary.dmarc.details.from.domain in (
"azureadnotifications.us",
"microsoft.com",
"sharepointonline.com",
"cloudappsecurity.com",
"microsoftsupport.com",
"microsoft.onmicrosoft.com",
"yammer.com"
)
)
or headers.auth_summary.dmarc.pass is null
or headers.auth_summary.dmarc.details.from.domain is null
)
and not (
sender.email.domain.domain == "planner.office365.com"
and headers.return_path.email == "noreply@planner.office365.com"
and headers.auth_summary.dmarc.details.from.root_domain == "office365.com"
)
// Microsoft has some legit onmicrosoft domains...
and not (
sender.email.domain.domain == "microsoft.onmicrosoft.com"
and headers.auth_summary.spf.pass
and all(body.links, .href_url.domain.root_domain == "microsoft.com")
)
// message is not from sharepoint actual (additional check in case DMARC check above fails to bail out)
and not (
(
strings.ilike(headers.message_id,
'<Share-*',
'<MassDelete-*',
'<FileDeleteAfterExpiration-*',
'<NotifyOwnerSharedWithExternalUsers*',
'<OneTimePasscode*'
)
and strings.ends_with(headers.message_id, '@odspnotify>')
)
or (
any(headers.hops,
any(.fields,
.name == "X-Google-Original-Message-ID"
and strings.ilike(.value,
'<Share-*',
'<MassDelete-*',
'<FileDeleteAfterExpiration-*',
'<NotifyOwnerSharedWithExternalUsers*',
'<OneTimePasscode*'
)
and strings.ends_with(.value, '@odspnotify>')
)
)
)
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
// negate org domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $org_domains
and (
not headers.auth_summary.dmarc.pass
// MS quarantine digest emails from an org domain are router "internally" to MS, therefore, there is no authentication information
or not (
headers.auth_summary.dmarc.pass is null
and all(headers.domains,
.root_domain in ("outlook.com", "office365.com")
)
// typical emails from freemail Outlook accounts are from prod.outlook.com
and strings.ends_with(headers.message_id, "protection.outlook.com>")
)
)
)
or sender.email.domain.root_domain not in $org_domains
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().any_messages_benign
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand impersonation: Microsoft with embedded logo and credential theft language"
description: "This rule detects messages impersonating Microsoft via a logo and contains credential theft language. From a new and unsolicited sender."
type: "rule"
severity: "high"
source: |
type.inbound
and (
(
length(attachments) > 0
and all(attachments,
.file_type in $file_types_images or .file_type == "pdf"
)
)
or length(attachments) == 0
)
and any(ml.logo_detect(file.message_screenshot()).brands,
strings.starts_with(.name, "Microsoft")
)
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
or (
length(body.current_thread.text) == 0
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
and any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
)
)
and (
not (
headers.auth_summary.dmarc.pass
and headers.auth_summary.dmarc.details.from.domain in (
"azureadnotifications.us",
"microsoft.com",
"sharepointonline.com",
"cloudappsecurity.com",
"microsoftsupport.com",
"microsoft.onmicrosoft.com",
"yammer.com"
)
)
or headers.auth_summary.dmarc.pass is null
or headers.auth_summary.dmarc.details.from.domain is null
)
and not (
sender.email.domain.domain == "planner.office365.com"
and headers.return_path.email == "noreply@planner.office365.com"
and headers.auth_summary.dmarc.details.from.root_domain == "office365.com"
)
// Microsoft has some legit onmicrosoft domains...
and not (
sender.email.domain.domain == "microsoft.onmicrosoft.com"
and headers.auth_summary.spf.pass
and all(body.links, .href_url.domain.root_domain == "microsoft.com")
)
// message is not from sharepoint actual (additional check in case DMARC check above fails to bail out)
and not (
(
strings.ilike(headers.message_id,
'<Share-*',
'<MassDelete-*',
'<FileDeleteAfterExpiration-*',
'<NotifyOwnerSharedWithExternalUsers*',
'<OneTimePasscode*'
)
and strings.ends_with(headers.message_id, '@odspnotify>')
)
or (
any(headers.hops,
any(.fields,
.name == "X-Google-Original-Message-ID"
and strings.ilike(.value,
'<Share-*',
'<MassDelete-*',
'<FileDeleteAfterExpiration-*',
'<NotifyOwnerSharedWithExternalUsers*',
'<OneTimePasscode*'
)
and strings.ends_with(.value, '@odspnotify>')
)
)
)
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
// negate org domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $org_domains
and (
not headers.auth_summary.dmarc.pass
// MS quarantine digest emails from an org domain are router "internally" to MS, therefore, there is no authentication information
or not (
headers.auth_summary.dmarc.pass is null
and all(headers.domains,
.root_domain in ("outlook.com", "office365.com")
)
// typical emails from freemail Outlook accounts are from prod.outlook.com
and strings.ends_with(headers.message_id, "protection.outlook.com>")
)
)
)
or sender.email.domain.root_domain not in $org_domains
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().any_messages_benign
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Computer Vision"
- "Natural Language Understanding"
- "Sender analysis"
id: "3ee9ef3d-8ec4-5df0-a8a2-5c6d037eb17a"