← Back to Explore
sublimehighRule
Brand impersonation: Microsoft logo in HTML with fake quarantine release notification
A message containing a Microsoft logo generated using HTML tables and references to the Microsoft Exchange quarantine, but did not come from Microsoft.
Detection Query
type.inbound
and 0 < length(body.links) < 10
// Microsoft logo via HTML table composition
and (
regex.icontains(body.html.raw,
'<table[^>]*>\s*<tbody[^>]*>\s*<tr[^>]*>\s*(<td[^>]*bgcolor="#[0-9A-Fa-f]{6}"[^>]*>\s* \s*</td>\s*){2}\s*</tr>\s*<tr[^>]*>\s*(<td[^>]*bgcolor="#[0-9A-Fa-f]{6}"[^>]*>\s* \s*</td>\s*){2}'
)
or regex.icontains(body.html.raw,
'<td style="background:\s*rgb\(246,\s*93,\s*53\);\s*height:\d+px;">.*?<td style="background:\s*rgb\(129,\s*187,\s*5\);\s*height:\d+px;">.*?<td style="background:\s*rgb\(4,\s*165,\s*240\);\s*height:\d+px;">.*?<td style="background:\s*rgb\(255,\s*186,\s*7\);\s*height:\d+px;">'
)
or 4 of (
regex.icontains(body.html.raw,
'<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(245, 189, 67\);">.{0,10}</td>'
),
regex.icontains(body.html.raw,
'<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(137, 184, 57\);">.{0,10}</td>'
),
regex.icontains(body.html.raw,
'<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(217, 83, 51\);">.{0,10}</td>'
),
regex.icontains(body.html.raw,
'<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(71, 160, 218\);">.{0,10}</td>'
)
)
or regex.icontains(body.html.raw,
'<DIV[^>]*><SPAN style="[^"]*BACKGROUND-COLOR: #ff1940"></SPAN><SPAN style="[^"]*BACKGROUND-COLOR: #3eb55d"></SPAN><SPAN style="[^"]*BACKGROUND-COLOR: #04b5f0"></SPAN><SPAN style="[^"]*BACKGROUND-COLOR: #ffca07"></SPAN></DIV>'
)
or regex.icontains(body.html.raw,
'<span style="[^"]*background-color:\s*#FF1941;[^"]*"></span>\s*<span style="[^"]*background-color:\s*#36ba58;[^"]*"></span>\s*<span style="[^"]*background-color:\s*#04a1d6;[^"]*"></span>\s*<span style="[^"]*background-color:\s*#FFCA08;[^"]*"></span>'
)
or regex.icontains(body.html.raw,
'<td[^>]+background:#f25022[^>]+>.*?<td[^>]+background:#7fba00[^>]+>.*?<td[^>]+background:#01a4ef[^>]+>.*?<td[^>]+background:#ffb901[^>]+>'
)
or regex.icontains(body.html.raw,
'<td bgcolor="red".*?<td bgcolor="green".*?<td bgcolor="#04a5f0".*?<td bgcolor="#ffba07"'
)
or 4 of (
regex.icontains(body.html.raw,
'<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(73, 161, 232\);">.{0,10}</td>'
),
regex.icontains(body.html.raw,
'<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(224, 92, 53\);">.{0,10}</td>'
),
regex.icontains(body.html.raw,
'<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(139, 183, 55\);">.{0,10}</td>'
),
regex.icontains(body.html.raw,
'<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(244, 188, 65\);">.{0,10}</td>'
)
)
or regex.icontains(body.html.raw,
'<td style="BACKGROUND-COLOR: red".*?<td style="BACKGROUND-COLOR: rgb\(19,186,132\)".*?<td style="BACKGROUND-COLOR: rgb\(4,166,240\)".*?<td style="BACKGROUND-COLOR: rgb\(255,186,8\)"'
)
or 4 of (
regex.icontains(body.html.raw, 'background-color:rgb\(213,56,62\)'),
regex.icontains(body.html.raw, 'background-color:rgb\(0,114,30\)'),
regex.icontains(body.html.raw, 'background-color:rgb\(0,110,173\)'),
regex.icontains(body.html.raw, 'background-color:rgb\(227,209,43\)'),
)
or 4 of (
regex.icontains(body.html.raw, '<td[^>]*bgcolor="#F25022"> </td>'),
regex.icontains(body.html.raw, '<td[^>]*bgcolor="#7FBA00"> </td>'),
regex.icontains(body.html.raw,
'<td[^>]*(bgcolor="#00A4EF"|height="\d+")[^>]*(bgcolor="#00A4EF"|height="\d+")[^>]*> </td>'
),
regex.icontains(body.html.raw,
'<td[^>]*(bgcolor="#FFB900"|height="\d+")[^>]*(bgcolor="#FFB900"|height="\d+")[^>]*> </td>'
)
)
or regex.icontains(body.html.raw,
'<DIV[^>]*><SPAN[^>]*background-color:\s*#FF1940;[^>]*><\/SPAN><SPAN[^>]*background-color:\s*#36ba57;[^>]*><\/SPAN><SPAN[^>]*background-color:\s*#04a1d6;[^>]*><\/SPAN><SPAN[^>]*background-color:\s*#FFCA07;[^>]*><\/SPAN><\/DIV>'
)
or 3 of (
regex.icontains(body.html.raw, '.password-expiration'),
regex.icontains(body.html.raw, 'color: #2672ec;'),
regex.icontains(body.html.raw, 'M\x{00AD}ic\x{00AD}ro\x{00AD}so\x{00AD}ft')
)
or 4 of (
regex.icontains(body.html.raw, 'background-color:#FF1940;'),
regex.icontains(body.html.raw, 'background-color:#3eb55d;'),
regex.icontains(body.html.raw, 'background-color:#04B5F0;'),
regex.icontains(body.html.raw, 'background-color:#FFCA07;'),
)
or 4 of (
regex.icontains(body.html.raw, 'bgcolor="#eb5024"'),
regex.icontains(body.html.raw, 'bgcolor="#7db606"'),
regex.icontains(body.html.raw, 'bgcolor="#05a1e8"'),
regex.icontains(body.html.raw, 'bgcolor="#f7b408"'),
)
or 4 of (
regex.icontains(body.html.raw, '<td style="background: #E74F23;'),
regex.icontains(body.html.raw, '<td style="background: #7AB206;'),
regex.icontains(body.html.raw, '<td style="background: #059EE4;'),
regex.icontains(body.html.raw, '<td style="background: #F2B108;'),
)
or 4 of (
regex.icontains(body.html.raw, 'background-color:rgb\(246,93,53\)'),
regex.icontains(body.html.raw, 'background-color:rgb\(129,187,5\)'),
regex.icontains(body.html.raw, 'background-color:rgb\(4,165,240\)'),
regex.icontains(body.html.raw, 'background-color:rgb\(255,186,7\)')
)
and 3 of (
strings.icontains(body.current_thread.text, "review"),
strings.icontains(body.current_thread.text, "release"),
strings.icontains(body.current_thread.text, "quarantine"),
strings.icontains(body.current_thread.text, "messages"),
strings.icontains(body.current_thread.text, "recover"),
strings.icontains(body.current_thread.text, "server error")
)
and sender.email.domain.root_domain not in (
"bing.com",
"microsoft.com",
"microsoftonline.com",
"microsoftsupport.com",
"microsoft365.com",
"office.com",
"onedrive.com",
"sharepointonline.com",
"yammer.com",
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().solicited
and not profile.by_sender().any_messages_benign
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand impersonation: Microsoft logo in HTML with fake quarantine release notification"
description: "A message containing a Microsoft logo generated using HTML tables and references to the Microsoft Exchange quarantine, but did not come from Microsoft."
type: "rule"
severity: "high"
source: |
type.inbound
and 0 < length(body.links) < 10
// Microsoft logo via HTML table composition
and (
regex.icontains(body.html.raw,
'<table[^>]*>\s*<tbody[^>]*>\s*<tr[^>]*>\s*(<td[^>]*bgcolor="#[0-9A-Fa-f]{6}"[^>]*>\s* \s*</td>\s*){2}\s*</tr>\s*<tr[^>]*>\s*(<td[^>]*bgcolor="#[0-9A-Fa-f]{6}"[^>]*>\s* \s*</td>\s*){2}'
)
or regex.icontains(body.html.raw,
'<td style="background:\s*rgb\(246,\s*93,\s*53\);\s*height:\d+px;">.*?<td style="background:\s*rgb\(129,\s*187,\s*5\);\s*height:\d+px;">.*?<td style="background:\s*rgb\(4,\s*165,\s*240\);\s*height:\d+px;">.*?<td style="background:\s*rgb\(255,\s*186,\s*7\);\s*height:\d+px;">'
)
or 4 of (
regex.icontains(body.html.raw,
'<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(245, 189, 67\);">.{0,10}</td>'
),
regex.icontains(body.html.raw,
'<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(137, 184, 57\);">.{0,10}</td>'
),
regex.icontains(body.html.raw,
'<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(217, 83, 51\);">.{0,10}</td>'
),
regex.icontains(body.html.raw,
'<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(71, 160, 218\);">.{0,10}</td>'
)
)
or regex.icontains(body.html.raw,
'<DIV[^>]*><SPAN style="[^"]*BACKGROUND-COLOR: #ff1940"></SPAN><SPAN style="[^"]*BACKGROUND-COLOR: #3eb55d"></SPAN><SPAN style="[^"]*BACKGROUND-COLOR: #04b5f0"></SPAN><SPAN style="[^"]*BACKGROUND-COLOR: #ffca07"></SPAN></DIV>'
)
or regex.icontains(body.html.raw,
'<span style="[^"]*background-color:\s*#FF1941;[^"]*"></span>\s*<span style="[^"]*background-color:\s*#36ba58;[^"]*"></span>\s*<span style="[^"]*background-color:\s*#04a1d6;[^"]*"></span>\s*<span style="[^"]*background-color:\s*#FFCA08;[^"]*"></span>'
)
or regex.icontains(body.html.raw,
'<td[^>]+background:#f25022[^>]+>.*?<td[^>]+background:#7fba00[^>]+>.*?<td[^>]+background:#01a4ef[^>]+>.*?<td[^>]+background:#ffb901[^>]+>'
)
or regex.icontains(body.html.raw,
'<td bgcolor="red".*?<td bgcolor="green".*?<td bgcolor="#04a5f0".*?<td bgcolor="#ffba07"'
)
or 4 of (
regex.icontains(body.html.raw,
'<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(73, 161, 232\);">.{0,10}</td>'
),
regex.icontains(body.html.raw,
'<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(224, 92, 53\);">.{0,10}</td>'
),
regex.icontains(body.html.raw,
'<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(139, 183, 55\);">.{0,10}</td>'
),
regex.icontains(body.html.raw,
'<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(244, 188, 65\);">.{0,10}</td>'
)
)
or regex.icontains(body.html.raw,
'<td style="BACKGROUND-COLOR: red".*?<td style="BACKGROUND-COLOR: rgb\(19,186,132\)".*?<td style="BACKGROUND-COLOR: rgb\(4,166,240\)".*?<td style="BACKGROUND-COLOR: rgb\(255,186,8\)"'
)
or 4 of (
regex.icontains(body.html.raw, 'background-color:rgb\(213,56,62\)'),
regex.icontains(body.html.raw, 'background-color:rgb\(0,114,30\)'),
regex.icontains(body.html.raw, 'background-color:rgb\(0,110,173\)'),
regex.icontains(body.html.raw, 'background-color:rgb\(227,209,43\)'),
)
or 4 of (
regex.icontains(body.html.raw, '<td[^>]*bgcolor="#F25022"> </td>'),
regex.icontains(body.html.raw, '<td[^>]*bgcolor="#7FBA00"> </td>'),
regex.icontains(body.html.raw,
'<td[^>]*(bgcolor="#00A4EF"|height="\d+")[^>]*(bgcolor="#00A4EF"|height="\d+")[^>]*> </td>'
),
regex.icontains(body.html.raw,
'<td[^>]*(bgcolor="#FFB900"|height="\d+")[^>]*(bgcolor="#FFB900"|height="\d+")[^>]*> </td>'
)
)
or regex.icontains(body.html.raw,
'<DIV[^>]*><SPAN[^>]*background-color:\s*#FF1940;[^>]*><\/SPAN><SPAN[^>]*background-color:\s*#36ba57;[^>]*><\/SPAN><SPAN[^>]*background-color:\s*#04a1d6;[^>]*><\/SPAN><SPAN[^>]*background-color:\s*#FFCA07;[^>]*><\/SPAN><\/DIV>'
)
or 3 of (
regex.icontains(body.html.raw, '.password-expiration'),
regex.icontains(body.html.raw, 'color: #2672ec;'),
regex.icontains(body.html.raw, 'M\x{00AD}ic\x{00AD}ro\x{00AD}so\x{00AD}ft')
)
or 4 of (
regex.icontains(body.html.raw, 'background-color:#FF1940;'),
regex.icontains(body.html.raw, 'background-color:#3eb55d;'),
regex.icontains(body.html.raw, 'background-color:#04B5F0;'),
regex.icontains(body.html.raw, 'background-color:#FFCA07;'),
)
or 4 of (
regex.icontains(body.html.raw, 'bgcolor="#eb5024"'),
regex.icontains(body.html.raw, 'bgcolor="#7db606"'),
regex.icontains(body.html.raw, 'bgcolor="#05a1e8"'),
regex.icontains(body.html.raw, 'bgcolor="#f7b408"'),
)
or 4 of (
regex.icontains(body.html.raw, '<td style="background: #E74F23;'),
regex.icontains(body.html.raw, '<td style="background: #7AB206;'),
regex.icontains(body.html.raw, '<td style="background: #059EE4;'),
regex.icontains(body.html.raw, '<td style="background: #F2B108;'),
)
or 4 of (
regex.icontains(body.html.raw, 'background-color:rgb\(246,93,53\)'),
regex.icontains(body.html.raw, 'background-color:rgb\(129,187,5\)'),
regex.icontains(body.html.raw, 'background-color:rgb\(4,165,240\)'),
regex.icontains(body.html.raw, 'background-color:rgb\(255,186,7\)')
)
and 3 of (
strings.icontains(body.current_thread.text, "review"),
strings.icontains(body.current_thread.text, "release"),
strings.icontains(body.current_thread.text, "quarantine"),
strings.icontains(body.current_thread.text, "messages"),
strings.icontains(body.current_thread.text, "recover"),
strings.icontains(body.current_thread.text, "server error")
)
and sender.email.domain.root_domain not in (
"bing.com",
"microsoft.com",
"microsoftonline.com",
"microsoftsupport.com",
"microsoft365.com",
"office.com",
"onedrive.com",
"sharepointonline.com",
"yammer.com",
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and (
any(distinct(headers.hops, .authentication_results.dmarc is not null),
strings.ilike(.authentication_results.dmarc, "*fail")
)
)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().solicited
and not profile.by_sender().any_messages_benign
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Content analysis"
- "HTML analysis"
- "Sender analysis"
id: "f12c615c-1fd7-5b57-b41e-cb42ebf75381"