High Severity
Attachment: Microsoft 365 Credential Phishing
Description
Looks for messages with an image attachment that contains words related to Microsoft, Office365, and passwords.
References
No references.
Sublime Security
Created Aug 17th, 2023 • Last updated Oct 16th, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
and length(filter(attachments, .file_type not in $file_types_images)) == 0
and (
any(attachments,
.file_type in $file_types_images
and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
)
or any(attachments,
.file_type in $file_types_images
and any(file.explode(.),
strings.ilike(.scan.ocr.raw, "*microsoft*", "*office")
and length(.scan.ocr.raw) < 1500
)
)
)
and any(attachments,
.file_type in $file_types_images
and any(file.explode(.),
length(filter([
"password",
"unread messages",
"Shared Documents",
"expiration",
"expire",
"expiring",
"kindly",
"renew",
"review",
"emails failed",
"kicked out",
"prevented",
"storage",
"required now",
"cache",
"qr code",
"security update",
"invoice",
"retrieve",
"blocked"
],
strings.icontains(..scan.ocr.raw, .)
)
) >= 2
or (
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft" and .confidence == "high"
)
and length(ml.nlu_classifier(.scan.ocr.raw).entities) > 1
)
)
)
and (
not any(headers.hops,
.authentication_results.compauth.verdict is not null
and .authentication_results.compauth.verdict == "pass"
and sender.email.domain.domain in (
"microsoft.com",
"sharepointonline.com"
)
)
)
// negate angelbeat urls and microsoft disclaimer links
and (
length(body.links) > 0
and not all(body.links,
.href_url.domain.root_domain in (
"abeatinfo.com",
"abeatinvite.com",
"aka.ms",
"angelbeat.com"
)
)
)
// negate replies
and (
(
(
length(headers.references) > 0
or not any(headers.hops,
any(.fields, strings.ilike(.name, "In-Reply-To"))
)
)
and not (
(
strings.istarts_with(subject.subject, "RE:")
or strings.istarts_with(subject.subject, "R:")
or strings.istarts_with(subject.subject, "ODG:")
or strings.istarts_with(subject.subject, "答复:")
or strings.istarts_with(subject.subject, "AW:")
or strings.istarts_with(subject.subject, "TR:")
or strings.istarts_with(subject.subject, "FWD:")
or regex.icontains(subject.subject, '^(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
)
)
)
or length(headers.references) == 0
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().any_false_positives
Playground
Test against your own EMLs or sample data.