EXPLORE
← Back to Explore
sublimehighRule

Attachment: Microsoft OAuth credential harvesting via EML with embedded malicious links

Detects inbound messages containing EML attachments with embedded links targeting Microsoft OAuth authentication flows. The rule identifies suspicious Microsoft login URLs with specific query parameters indicating credential harvesting attempts, including offline access permissions, read/write scopes, and reprocessing endpoints. Links are detected within EML body content, embedded PDF/HTML attachments, and ICS calendar files.

MITRE ATT&CK

initial-accessdefense-evasion

Detection Query

type.inbound
and any(attachments,
        (.content_type == "message/rfc822" or .file_extension in ("eml"))
        and (
          // links in attached EML body
          any(file.parse_eml(.).body.links,
              .href_url.domain.domain == 'login.microsoftonline.com'
              and (
                strings.ilike(.href_url.query_params,
                              '*offline_access*',
                              '*.readwrite*',
                              '*.read*',
                              '*ctx=*',
                              '*prompt=none*'
                )
                or (
                  strings.icontains(.href_url.path, '/common/reprocess')
                  and strings.icontains(.href_url.query_params, 'ctx=')
                  and strings.icontains(.href_url.query_params, 'sessionId=')
                )
              )
          )
          // links in PDF and HTML attachments inside the EML
          or any(filter(file.parse_eml(.).attachments,
                        .file_type in ("pdf", "html")
                 ),
                 any(file.explode(.),
                     any(.scan.url.urls,
                         .domain.domain == 'login.microsoftonline.com'
                         and (
                           strings.ilike(.query_params,
                                         '*offline_access*',
                                         '*.readwrite*',
                                         '*.read*',
                                         '*ctx=*',
                                         '*prompt=none*'
                           )
                           or (
                             strings.icontains(.path, '/common/reprocess')
                             and strings.icontains(.query_params, 'ctx=')
                             and strings.icontains(.query_params, 'sessionId=')
                           )
                         )
                     )
                 )
          )
          // links in ICS attachments inside the EML
          or any(filter(file.parse_eml(.).attachments,
                        .file_type == "ics"
                        or .file_extension == "ics"
                        or .content_type in ("application/ics", "text/calendar")
                 ),
                 //
                 // This rule makes use of a beta feature and is subject to change without notice
                 // using the beta feature in custom rules is not suggested until it has been formally released
                 //
                 any(beta.file.parse_ics(.).events,
                     any(.links,
                         .href_url.domain.domain == 'login.microsoftonline.com'
                         and (
                           strings.ilike(.href_url.query_params,
                                         '*offline_access*',
                                         '*.readwrite*',
                                         '*.read*',
                                         '*ctx=*',
                                         '*prompt=none*'
                           )
                           or (
                             strings.icontains(.href_url.path,
                                               '/common/reprocess'
                             )
                             and strings.icontains(.href_url.query_params,
                                                   'ctx='
                             )
                             and strings.icontains(.href_url.query_params,
                                                   'sessionId='
                             )
                           )
                         )
                     )
                 )
          )
        )
) 

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Attachment: Microsoft OAuth credential harvesting via EML with embedded malicious links"
description: "Detects inbound messages containing EML attachments with embedded links targeting Microsoft OAuth authentication flows. The rule identifies suspicious Microsoft login URLs with specific query parameters indicating credential harvesting attempts, including offline access permissions, read/write scopes, and reprocessing endpoints. Links are detected within EML body content, embedded PDF/HTML attachments, and ICS calendar files."
type: "rule"
severity: "high"
source: |
  type.inbound
  and any(attachments,
          (.content_type == "message/rfc822" or .file_extension in ("eml"))
          and (
            // links in attached EML body
            any(file.parse_eml(.).body.links,
                .href_url.domain.domain == 'login.microsoftonline.com'
                and (
                  strings.ilike(.href_url.query_params,
                                '*offline_access*',
                                '*.readwrite*',
                                '*.read*',
                                '*ctx=*',
                                '*prompt=none*'
                  )
                  or (
                    strings.icontains(.href_url.path, '/common/reprocess')
                    and strings.icontains(.href_url.query_params, 'ctx=')
                    and strings.icontains(.href_url.query_params, 'sessionId=')
                  )
                )
            )
            // links in PDF and HTML attachments inside the EML
            or any(filter(file.parse_eml(.).attachments,
                          .file_type in ("pdf", "html")
                   ),
                   any(file.explode(.),
                       any(.scan.url.urls,
                           .domain.domain == 'login.microsoftonline.com'
                           and (
                             strings.ilike(.query_params,
                                           '*offline_access*',
                                           '*.readwrite*',
                                           '*.read*',
                                           '*ctx=*',
                                           '*prompt=none*'
                             )
                             or (
                               strings.icontains(.path, '/common/reprocess')
                               and strings.icontains(.query_params, 'ctx=')
                               and strings.icontains(.query_params, 'sessionId=')
                             )
                           )
                       )
                   )
            )
            // links in ICS attachments inside the EML
            or any(filter(file.parse_eml(.).attachments,
                          .file_type == "ics"
                          or .file_extension == "ics"
                          or .content_type in ("application/ics", "text/calendar")
                   ),
                   //
                   // This rule makes use of a beta feature and is subject to change without notice
                   // using the beta feature in custom rules is not suggested until it has been formally released
                   //
                   any(beta.file.parse_ics(.).events,
                       any(.links,
                           .href_url.domain.domain == 'login.microsoftonline.com'
                           and (
                             strings.ilike(.href_url.query_params,
                                           '*offline_access*',
                                           '*.readwrite*',
                                           '*.read*',
                                           '*ctx=*',
                                           '*prompt=none*'
                             )
                             or (
                               strings.icontains(.href_url.path,
                                                 '/common/reprocess'
                               )
                               and strings.icontains(.href_url.query_params,
                                                     'ctx='
                               )
                               and strings.icontains(.href_url.query_params,
                                                     'sessionId='
                               )
                             )
                           )
                       )
                   )
            )
          )
  ) 
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Evasion"
  - "PDF"
detection_methods:
  - "File analysis"
  - "URL analysis"
  - "Content analysis"
id: "6788a4c8-699b-53af-8f2d-5dafcff63843"