← Back to Explore
sublimehighRule
Attachment: Microsoft OAuth credential harvesting via EML with embedded malicious links
Detects inbound messages containing EML attachments with embedded links targeting Microsoft OAuth authentication flows. The rule identifies suspicious Microsoft login URLs with specific query parameters indicating credential harvesting attempts, including offline access permissions, read/write scopes, and reprocessing endpoints. Links are detected within EML body content, embedded PDF/HTML attachments, and ICS calendar files.
Detection Query
type.inbound
and any(attachments,
(.content_type == "message/rfc822" or .file_extension in ("eml"))
and (
// links in attached EML body
any(file.parse_eml(.).body.links,
.href_url.domain.domain == 'login.microsoftonline.com'
and (
strings.ilike(.href_url.query_params,
'*offline_access*',
'*.readwrite*',
'*.read*',
'*ctx=*',
'*prompt=none*'
)
or (
strings.icontains(.href_url.path, '/common/reprocess')
and strings.icontains(.href_url.query_params, 'ctx=')
and strings.icontains(.href_url.query_params, 'sessionId=')
)
)
)
// links in PDF and HTML attachments inside the EML
or any(filter(file.parse_eml(.).attachments,
.file_type in ("pdf", "html")
),
any(file.explode(.),
any(.scan.url.urls,
.domain.domain == 'login.microsoftonline.com'
and (
strings.ilike(.query_params,
'*offline_access*',
'*.readwrite*',
'*.read*',
'*ctx=*',
'*prompt=none*'
)
or (
strings.icontains(.path, '/common/reprocess')
and strings.icontains(.query_params, 'ctx=')
and strings.icontains(.query_params, 'sessionId=')
)
)
)
)
)
// links in ICS attachments inside the EML
or any(filter(file.parse_eml(.).attachments,
.file_type == "ics"
or .file_extension == "ics"
or .content_type in ("application/ics", "text/calendar")
),
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
any(beta.file.parse_ics(.).events,
any(.links,
.href_url.domain.domain == 'login.microsoftonline.com'
and (
strings.ilike(.href_url.query_params,
'*offline_access*',
'*.readwrite*',
'*.read*',
'*ctx=*',
'*prompt=none*'
)
or (
strings.icontains(.href_url.path,
'/common/reprocess'
)
and strings.icontains(.href_url.query_params,
'ctx='
)
and strings.icontains(.href_url.query_params,
'sessionId='
)
)
)
)
)
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: Microsoft OAuth credential harvesting via EML with embedded malicious links"
description: "Detects inbound messages containing EML attachments with embedded links targeting Microsoft OAuth authentication flows. The rule identifies suspicious Microsoft login URLs with specific query parameters indicating credential harvesting attempts, including offline access permissions, read/write scopes, and reprocessing endpoints. Links are detected within EML body content, embedded PDF/HTML attachments, and ICS calendar files."
type: "rule"
severity: "high"
source: |
type.inbound
and any(attachments,
(.content_type == "message/rfc822" or .file_extension in ("eml"))
and (
// links in attached EML body
any(file.parse_eml(.).body.links,
.href_url.domain.domain == 'login.microsoftonline.com'
and (
strings.ilike(.href_url.query_params,
'*offline_access*',
'*.readwrite*',
'*.read*',
'*ctx=*',
'*prompt=none*'
)
or (
strings.icontains(.href_url.path, '/common/reprocess')
and strings.icontains(.href_url.query_params, 'ctx=')
and strings.icontains(.href_url.query_params, 'sessionId=')
)
)
)
// links in PDF and HTML attachments inside the EML
or any(filter(file.parse_eml(.).attachments,
.file_type in ("pdf", "html")
),
any(file.explode(.),
any(.scan.url.urls,
.domain.domain == 'login.microsoftonline.com'
and (
strings.ilike(.query_params,
'*offline_access*',
'*.readwrite*',
'*.read*',
'*ctx=*',
'*prompt=none*'
)
or (
strings.icontains(.path, '/common/reprocess')
and strings.icontains(.query_params, 'ctx=')
and strings.icontains(.query_params, 'sessionId=')
)
)
)
)
)
// links in ICS attachments inside the EML
or any(filter(file.parse_eml(.).attachments,
.file_type == "ics"
or .file_extension == "ics"
or .content_type in ("application/ics", "text/calendar")
),
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
any(beta.file.parse_ics(.).events,
any(.links,
.href_url.domain.domain == 'login.microsoftonline.com'
and (
strings.ilike(.href_url.query_params,
'*offline_access*',
'*.readwrite*',
'*.read*',
'*ctx=*',
'*prompt=none*'
)
or (
strings.icontains(.href_url.path,
'/common/reprocess'
)
and strings.icontains(.href_url.query_params,
'ctx='
)
and strings.icontains(.href_url.query_params,
'sessionId='
)
)
)
)
)
)
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Evasion"
- "PDF"
detection_methods:
- "File analysis"
- "URL analysis"
- "Content analysis"
id: "6788a4c8-699b-53af-8f2d-5dafcff63843"