• Sublime Core Feed
Medium Severity

Brand impersonation: Microsoft fake sign-in alert

Labels

Credential Phishing
Impersonation: Brand
Social engineering
Computer Vision
Content analysis
File analysis
Header analysis
Sender analysis
Whois

Description

Detects messages impersonating Microsoft that mimic sign-in security alerts and attempt to solicit a response.

References

No references.

Sublime Security
Created Aug 17th, 2023 • Last updated Apr 25th, 2024
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
// no links found in body
and length(body.links) == 0
// Microsoft strings
and (
  strings.contains(subject.subject, "Microsoft")
  or strings.contains(sender.display_name, "Microsoft")
  or strings.contains(body.current_thread.text, "Microsoft")
  or (

    // or Microsoft Brand logo
    any(attachments,
        .file_type in $file_types_images
        and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
    )
  )
)

// Body contains Indicators of fake sign in notification
and (
  regex.contains(body.current_thread.text,
                 '(Country.region:.{0,20}IP address:|Platform:.{0,20}Browser:)'
  )
  or regex.contains(body.current_thread.text, "Unusual.{0,10}activity")
)
and (

  // If the sender is freemail
  sender.email.domain.domain in $free_email_providers
  or (

    // sender is not freemail, but the return path email or reply to email is  
    sender.email.domain.domain not in $free_email_providers
    and (
      headers.return_path.domain.root_domain in $free_email_providers
      or (
        length(headers.reply_to) > 0
        and (all(headers.reply_to, .email.domain.root_domain in $free_email_providers))
      )
      or (

        // if all replyto domain, return_path domain, sender domain mismatch
        length(headers.reply_to) > 0
        and all(headers.reply_to,
                .email.domain.domain != headers.return_path.domain.domain
                and headers.return_path.domain.domain != sender.email.domain.domain
        )
      )

      // or the domain is less than 90 days old
      or network.whois(sender.email.domain).days_old <= 90
      or (

        // or Compauth verdict is not pass/softpass
        any(headers.hops,
            .authentication_results.compauth.verdict is not null
            and .authentication_results.compauth.verdict not in ("pass", "softpass")
        )
      )
    )
  )
)
and sender.email.domain.root_domain not in (
  "bing.com",
  "microsoft.com",
  "microsoftonline.com",
  "microsoftsupport.com",
  "microsoft365.com",
  "office.com",
  "onedrive.com",
  "sharepointonline.com",
  "yammer.com",
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started