EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Brand impersonation: Microsoft fake sign-in alert

Detects messages impersonating Microsoft that mimic sign-in security alerts and attempt to solicit a response.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1598.003
initial-access

Detection Query

type.inbound
// no links found in body
and length(body.links) == 0
// Microsoft strings
and (
  strings.contains(subject.subject, "Microsoft")
  or strings.contains(sender.display_name, "Microsoft")
  or strings.contains(body.current_thread.text, "Microsoft")
  or (

    // or Microsoft Brand logo
    any(attachments,
        .file_type in $file_types_images
        and any(ml.logo_detect(.).brands,
                strings.starts_with(.name, "Microsoft")
        )
    )
  )
)

// Body contains Indicators of fake sign in notification
and (
  regex.contains(body.current_thread.text,
                 '(Country.region:.{0,20}IP address:|Platform:.{0,20}Browser:)'
  )
  or regex.contains(body.current_thread.text, "Unusual.{0,10}activity")
)
and (

  // If the sender is freemail
  sender.email.domain.domain in $free_email_providers
  or (

    // sender is not freemail, but the return path email or reply to email is  
    sender.email.domain.domain not in $free_email_providers
    and (
      headers.return_path.domain.root_domain in $free_email_providers
      or (
        length(headers.reply_to) > 0
        and (
          all(headers.reply_to,
              .email.domain.root_domain in $free_email_providers
          )
        )
      )
      or (

        // if all replyto domain, return_path domain, sender domain mismatch
        length(headers.reply_to) > 0
        and all(headers.reply_to,
                .email.domain.domain != headers.return_path.domain.domain
                and headers.return_path.domain.domain != sender.email.domain.domain
        )
      )

      // or the domain is less than 90 days old
      or network.whois(sender.email.domain).days_old <= 90
      or (

        // or Compauth verdict is not pass/softpass
        any(headers.hops,
            .authentication_results.compauth.verdict is not null
            and .authentication_results.compauth.verdict not in (
              "pass",
              "softpass"
            )
        )
      )
    )
  )
)
and sender.email.domain.root_domain not in (
  "bing.com",
  "microsoft.com",
  "microsoftonline.com",
  "microsoftsupport.com",
  "microsoft365.com",
  "office.com",
  "onedrive.com",
  "sharepointonline.com",
  "yammer.com",
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Brand impersonation: Microsoft fake sign-in alert"
description: |
  Detects messages impersonating Microsoft that mimic sign-in security alerts and attempt to solicit a response.
type: "rule"
severity: "medium"
source: |
  type.inbound
  // no links found in body
  and length(body.links) == 0
  // Microsoft strings
  and (
    strings.contains(subject.subject, "Microsoft")
    or strings.contains(sender.display_name, "Microsoft")
    or strings.contains(body.current_thread.text, "Microsoft")
    or (
  
      // or Microsoft Brand logo
      any(attachments,
          .file_type in $file_types_images
          and any(ml.logo_detect(.).brands,
                  strings.starts_with(.name, "Microsoft")
          )
      )
    )
  )
  
  // Body contains Indicators of fake sign in notification
  and (
    regex.contains(body.current_thread.text,
                   '(Country.region:.{0,20}IP address:|Platform:.{0,20}Browser:)'
    )
    or regex.contains(body.current_thread.text, "Unusual.{0,10}activity")
  )
  and (
  
    // If the sender is freemail
    sender.email.domain.domain in $free_email_providers
    or (
  
      // sender is not freemail, but the return path email or reply to email is  
      sender.email.domain.domain not in $free_email_providers
      and (
        headers.return_path.domain.root_domain in $free_email_providers
        or (
          length(headers.reply_to) > 0
          and (
            all(headers.reply_to,
                .email.domain.root_domain in $free_email_providers
            )
          )
        )
        or (
  
          // if all replyto domain, return_path domain, sender domain mismatch
          length(headers.reply_to) > 0
          and all(headers.reply_to,
                  .email.domain.domain != headers.return_path.domain.domain
                  and headers.return_path.domain.domain != sender.email.domain.domain
          )
        )
  
        // or the domain is less than 90 days old
        or network.whois(sender.email.domain).days_old <= 90
        or (
  
          // or Compauth verdict is not pass/softpass
          any(headers.hops,
              .authentication_results.compauth.verdict is not null
              and .authentication_results.compauth.verdict not in (
                "pass",
                "softpass"
              )
          )
        )
      )
    )
  )
  and sender.email.domain.root_domain not in (
    "bing.com",
    "microsoft.com",
    "microsoftonline.com",
    "microsoftsupport.com",
    "microsoft365.com",
    "office.com",
    "onedrive.com",
    "sharepointonline.com",
    "yammer.com",
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Social engineering"
detection_methods:
  - "Computer Vision"
  - "Content analysis"
  - "File analysis"
  - "Header analysis"
  - "Sender analysis"
  - "Whois"
id: "3f4c9e7a-4d85-5bee-bc8c-3a737924c236"