Attachment: PDF with Microsoft Purview message impersonation

name: "Attachment: PDF with Microsoft Purview message impersonation"
description: "Detects PDF attachments containing text that impersonates Microsoft Purview secure message notifications, potentially used to trick users into believing they have received legitimate secure communications from Microsoft services."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(filter(attachments, .file_extension == 'pdf'),
          any(ml.nlu_classifier(beta.ocr(.).text).topics,
              .name == 'Secure Message' and .confidence == 'high'
          )
          and strings.icontains(beta.ocr(.).text, "Microsoft Purview Message")
  )
  // negate highly trusted sender domains unless they fail DMARC authentication
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "PDF"
  - "Social engineering"
detection_methods:
  - "File analysis"
  - "Natural Language Understanding"
  - "Content analysis"
id: "571d4964-dc44-56eb-bff4-11068b1cd119"