← Back to Explore
sublimehighRule
Attachment: Microsoft 365 credential phishing
Looks for messages with an image attachment that contains words related to Microsoft, Office365, and passwords.
Detection Query
type.inbound
and length(filter(attachments, .file_type not in $file_types_images)) == 0
and (
any(attachments,
.file_type in $file_types_images
and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
)
or any(attachments,
.file_type in $file_types_images
and any(file.explode(.),
strings.ilike(.scan.ocr.raw, "*microsoft*", "*office")
and length(.scan.ocr.raw) < 1500
)
)
)
and any(attachments,
.file_type in $file_types_images
and any(file.explode(.),
length(filter([
"password",
"unread messages",
"Shared Documents",
"expiration",
"expire",
"expiring",
"kindly",
"renew",
"review",
"emails failed",
"kicked out",
"prevented",
"storage",
"required now",
"cache",
"qr code",
"security update",
"invoice",
"retrieve",
"blocked"
],
strings.icontains(..scan.ocr.raw, .)
)
) >= 2
or (
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft" and .confidence == "high"
)
and length(ml.nlu_classifier(.scan.ocr.raw).entities) > 1
)
)
)
and (
not any(headers.hops,
.authentication_results.compauth.verdict is not null
and .authentication_results.compauth.verdict == "pass"
and sender.email.domain.domain in (
"microsoft.com",
"sharepointonline.com"
)
)
)
// negate angelbeat urls and microsoft disclaimer links
and (
length(body.links) > 0
and not all(body.links,
.href_url.domain.root_domain in (
"abeatinfo.com",
"abeatinvite.com",
"aka.ms",
"angelbeat.com"
)
)
)
// negate replies
and (
(
(
length(headers.references) > 0
or not any(headers.hops,
any(.fields, strings.ilike(.name, "In-Reply-To"))
)
)
and not (
(
strings.istarts_with(subject.subject, "RE:")
or strings.istarts_with(subject.subject, "R:")
or strings.istarts_with(subject.subject, "ODG:")
or strings.istarts_with(subject.subject, "答复:")
or strings.istarts_with(subject.subject, "AW:")
or strings.istarts_with(subject.subject, "TR:")
or strings.istarts_with(subject.subject, "FWD:")
or regex.icontains(subject.subject,
'^(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:'
)
)
)
)
or length(headers.references) == 0
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().any_messages_benign
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: Microsoft 365 credential phishing"
description: |
Looks for messages with an image attachment that contains words related to Microsoft, Office365, and passwords.
type: "rule"
severity: "high"
source: |
type.inbound
and length(filter(attachments, .file_type not in $file_types_images)) == 0
and (
any(attachments,
.file_type in $file_types_images
and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
)
or any(attachments,
.file_type in $file_types_images
and any(file.explode(.),
strings.ilike(.scan.ocr.raw, "*microsoft*", "*office")
and length(.scan.ocr.raw) < 1500
)
)
)
and any(attachments,
.file_type in $file_types_images
and any(file.explode(.),
length(filter([
"password",
"unread messages",
"Shared Documents",
"expiration",
"expire",
"expiring",
"kindly",
"renew",
"review",
"emails failed",
"kicked out",
"prevented",
"storage",
"required now",
"cache",
"qr code",
"security update",
"invoice",
"retrieve",
"blocked"
],
strings.icontains(..scan.ocr.raw, .)
)
) >= 2
or (
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft" and .confidence == "high"
)
and length(ml.nlu_classifier(.scan.ocr.raw).entities) > 1
)
)
)
and (
not any(headers.hops,
.authentication_results.compauth.verdict is not null
and .authentication_results.compauth.verdict == "pass"
and sender.email.domain.domain in (
"microsoft.com",
"sharepointonline.com"
)
)
)
// negate angelbeat urls and microsoft disclaimer links
and (
length(body.links) > 0
and not all(body.links,
.href_url.domain.root_domain in (
"abeatinfo.com",
"abeatinvite.com",
"aka.ms",
"angelbeat.com"
)
)
)
// negate replies
and (
(
(
length(headers.references) > 0
or not any(headers.hops,
any(.fields, strings.ilike(.name, "In-Reply-To"))
)
)
and not (
(
strings.istarts_with(subject.subject, "RE:")
or strings.istarts_with(subject.subject, "R:")
or strings.istarts_with(subject.subject, "ODG:")
or strings.istarts_with(subject.subject, "答复:")
or strings.istarts_with(subject.subject, "AW:")
or strings.istarts_with(subject.subject, "TR:")
or strings.istarts_with(subject.subject, "FWD:")
or regex.icontains(subject.subject,
'^(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:'
)
)
)
)
or length(headers.references) == 0
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().any_messages_benign
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Content analysis"
- "File analysis"
- "Header analysis"
- "Optical Character Recognition"
- "Sender analysis"
id: "edce0229-5e8f-5359-a5c8-36570840049f"