High Severity

Attachment: Microsoft impersonation via PDF with link and suspicious language

Labels

Credential Phishing
Malware/Ransomware
Image as content
Impersonation: Brand
PDF
Scripting
Social engineering
Computer Vision
File analysis
Header analysis
Natural Language Understanding
Sender analysis

Description

Attached PDF contains a Microsoft-affilated logo, suspicious language or keywords, and a link. Known malware delivery method.

References

No references.

Sublime Security
Created Dec 19th, 2023 • Last updated May 14th, 2026
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and (
  any(attachments,
      (.file_extension == "pdf" or .file_type == "pdf")
      and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
  )
)
and any(attachments,
        (.file_extension == "pdf" or .file_type == "pdf")
        and any(file.explode(.),
                (
                  length(filter([
                                  "password",
                                  "unread messages",
                                  "Shared Documents",
                                  "expiration",
                                  "expire",
                                  "expiring",
                                  "kindly",
                                  "renew",
                                  "review",
                                  "emails failed",
                                  "kicked out",
                                  "prevented",
                                  "storage",
                                  "required now",
                                  "cache",
                                  "qr code",
                                  "security update",
                                  "invoice",
                                  "retrieve",
                                  'engine failed',
                                  'OneDrive Error',
                                  'problem connecting',                                  
                                  'secure file',
                                  'access'
                                ],
                                strings.icontains(..scan.ocr.raw, .)
                         )
                  ) >= 2
                  or any(ml.nlu_classifier(.scan.ocr.raw).intents,
                         .name == "cred_theft" and .confidence == "high"
                  )
                )
                and (length(.scan.url.urls) > 0 or length(.scan.pdf.urls) > 0)
        )
)
and (
  not any(headers.hops,
          .authentication_results.compauth.verdict is not null
          and .authentication_results.compauth.verdict == "pass"
          and sender.email.domain.domain in (
            "microsoft.com",
            "sharepointonline.com"
          )
  )
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started