← Back to Explore
sublimehighRule
Brand impersonation: Microsoft quarantine release notification in body
Message containing suspicious quarantine release language in the body, and a Microsoft logo attachment but did not come from Microsoft.
Detection Query
type.inbound
and length(filter(attachments, .file_type not in $file_types_images)) == 0
and any(attachments,
any(file.explode(.),
(
// attachment is most likely only a logo
(
length(.scan.ocr.raw) < 15 or .scan.ocr.raw is null
)
and any(ml.logo_detect(..).brands,
strings.starts_with(.name, "Microsoft")
)
)
)
and (
3 of (
strings.ilike(body.current_thread.text, "*review*"),
strings.ilike(body.current_thread.text, "*release*"),
strings.ilike(body.current_thread.text, "*quarantine*"),
strings.ilike(body.current_thread.text, "*messages*"),
strings.ilike(body.current_thread.text, "*blocked*"),
strings.ilike(body.current_thread.text, "*notification*"),
strings.ilike(body.current_thread.text, "*kindly*")
)
)
)
and sender.email.domain.root_domain not in (
"bing.com",
"microsoft.com",
"microsoftonline.com",
"microsoftsupport.com",
"microsoft365.com",
"office.com",
"office365.com",
"onedrive.com",
"sharepointonline.com",
"yammer.com",
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().solicited
and not profile.by_sender().any_messages_benign
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand impersonation: Microsoft quarantine release notification in body"
description: "Message containing suspicious quarantine release language in the body, and a Microsoft logo attachment but did not come from Microsoft."
type: "rule"
severity: "high"
source: |
type.inbound
and length(filter(attachments, .file_type not in $file_types_images)) == 0
and any(attachments,
any(file.explode(.),
(
// attachment is most likely only a logo
(
length(.scan.ocr.raw) < 15 or .scan.ocr.raw is null
)
and any(ml.logo_detect(..).brands,
strings.starts_with(.name, "Microsoft")
)
)
)
and (
3 of (
strings.ilike(body.current_thread.text, "*review*"),
strings.ilike(body.current_thread.text, "*release*"),
strings.ilike(body.current_thread.text, "*quarantine*"),
strings.ilike(body.current_thread.text, "*messages*"),
strings.ilike(body.current_thread.text, "*blocked*"),
strings.ilike(body.current_thread.text, "*notification*"),
strings.ilike(body.current_thread.text, "*kindly*")
)
)
)
and sender.email.domain.root_domain not in (
"bing.com",
"microsoft.com",
"microsoftonline.com",
"microsoftsupport.com",
"microsoft365.com",
"office.com",
"office365.com",
"onedrive.com",
"sharepointonline.com",
"yammer.com",
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().solicited
and not profile.by_sender().any_messages_benign
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Computer Vision"
- "Content analysis"
- "File analysis"
- "Sender analysis"
id: "6d19527c-7ab9-5f0d-8c35-718dd30b704f"