← Back to Explore
sublimehighRule
Link: Microsoft Dynamics 365 form phishing
Email body is suspicious, and links to a Microsoft Dynamics form. Known phishing tactic.
Detection Query
type.inbound
and any(body.links,
.href_url.domain.domain in (
"ncv.microsoft.com",
"customervoice.microsoft.com",
"nam.dcv.ms"
)
and ml.link_analysis(.).effective_url.domain.domain == "customervoice.microsoft.com"
// confirm it is a form
and (
any(ml.link_analysis(.).final_dom.links,
.href_url.domain.domain == "cdn.forms.office.net"
)
or strings.icontains(ml.link_analysis(.).final_dom.raw,
"cdn.forms.office.net"
)
or .href_url.path == "/Pages/ResponsePage.aspx"
)
// analyze for credential phishing signals
and (
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
any(ml.nlu_classifier(beta.ocr(ml.link_analysis(.).screenshot).text).intents,
.name == "cred_theft" and .confidence != "low"
)
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence != "low"
)
)
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Link: Microsoft Dynamics 365 form phishing"
description: |
Email body is suspicious, and links to a Microsoft Dynamics form. Known phishing tactic.
references:
- "https://cofense.com/blog/compromised-microsoft-dynamic-365-customer-voice-account-used-for-phishing-attack/"
type: "rule"
severity: "high"
source: |
type.inbound
and any(body.links,
.href_url.domain.domain in (
"ncv.microsoft.com",
"customervoice.microsoft.com",
"nam.dcv.ms"
)
and ml.link_analysis(.).effective_url.domain.domain == "customervoice.microsoft.com"
// confirm it is a form
and (
any(ml.link_analysis(.).final_dom.links,
.href_url.domain.domain == "cdn.forms.office.net"
)
or strings.icontains(ml.link_analysis(.).final_dom.raw,
"cdn.forms.office.net"
)
or .href_url.path == "/Pages/ResponsePage.aspx"
)
// analyze for credential phishing signals
and (
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
any(ml.nlu_classifier(beta.ocr(ml.link_analysis(.).screenshot).text).intents,
.name == "cred_theft" and .confidence != "low"
)
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence != "low"
)
)
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
detection_methods:
- "Content analysis"
- "File analysis"
- "Optical Character Recognition"
- "Natural Language Understanding"
- "URL analysis"
- "URL screenshot"
id: "f72b9085-8c48-5c8c-9b0d-0ce6ef3494dc"