• Sublime Core Feed
High Severity

Brand impersonation: Microsoft logo in HTML with fake quarantine release notification

Labels

Credential Phishing
Evasion
Impersonation: Brand
Social engineering
Content analysis
HTML analysis
Sender analysis

Description

A message containing a Microsoft logo generated using HTML tables and references to the Microsoft Exchange quarantine, but did not come from Microsoft.

References

No references.

Sublime Security
Created Apr 23rd, 2024 • Last updated Dec 10th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and 0 < length(body.links) < 10
// Microsoft logo via HTML table composition
and (
  regex.icontains(body.html.raw,
                  '<table[^>]*>\s*<tbody[^>]*>\s*<tr[^>]*>\s*(<td[^>]*bgcolor="#[0-9A-Fa-f]{6}"[^>]*>\s*&nbsp;\s*</td>\s*){2}\s*</tr>\s*<tr[^>]*>\s*(<td[^>]*bgcolor="#[0-9A-Fa-f]{6}"[^>]*>\s*&nbsp;\s*</td>\s*){2}'
  )
  or regex.icontains(body.html.raw,
                     '<td style="background:\s*rgb\(246,\s*93,\s*53\);\s*height:\d+px;">.*?<td style="background:\s*rgb\(129,\s*187,\s*5\);\s*height:\d+px;">.*?<td style="background:\s*rgb\(4,\s*165,\s*240\);\s*height:\d+px;">.*?<td style="background:\s*rgb\(255,\s*186,\s*7\);\s*height:\d+px;">'
  )
  or 4 of (
    regex.icontains(body.html.raw,
                    '<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(245, 189, 67\);">.{0,10}</td>'
    ),
    regex.icontains(body.html.raw,
                    '<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(137, 184, 57\);">.{0,10}</td>'
    ),
    regex.icontains(body.html.raw,
                    '<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(217, 83, 51\);">.{0,10}</td>'
    ),
    regex.icontains(body.html.raw,
                    '<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(71, 160, 218\);">.{0,10}</td>'
    )
  )
  or regex.icontains(body.html.raw,
                     '<DIV[^>]*><SPAN style="[^"]*BACKGROUND-COLOR: #ff1940"></SPAN><SPAN style="[^"]*BACKGROUND-COLOR: #3eb55d"></SPAN><SPAN style="[^"]*BACKGROUND-COLOR: #04b5f0"></SPAN><SPAN style="[^"]*BACKGROUND-COLOR: #ffca07"></SPAN></DIV>'
  )
  or regex.icontains(body.html.raw,
                     '<span style="[^"]*background-color:\s*#FF1941;[^"]*"></span>\s*<span style="[^"]*background-color:\s*#36ba58;[^"]*"></span>\s*<span style="[^"]*background-color:\s*#04a1d6;[^"]*"></span>\s*<span style="[^"]*background-color:\s*#FFCA08;[^"]*"></span>'
  )
  or regex.icontains(body.html.raw,
                     '<td[^>]+background:#f25022[^>]+>.*?<td[^>]+background:#7fba00[^>]+>.*?<td[^>]+background:#01a4ef[^>]+>.*?<td[^>]+background:#ffb901[^>]+>'
  )
  or regex.icontains(body.html.raw,
                     '<td bgcolor="red".*?<td bgcolor="green".*?<td bgcolor="#04a5f0".*?<td bgcolor="#ffba07"'
  )
  or 4 of (
    regex.icontains(body.html.raw,
                    '<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(73, 161, 232\);">.{0,10}</td>'
    ),
    regex.icontains(body.html.raw,
                    '<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(224, 92, 53\);">.{0,10}</td>'
    ),
    regex.icontains(body.html.raw,
                    '<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(139, 183, 55\);">.{0,10}</td>'
    ),
    regex.icontains(body.html.raw,
                    '<td style="width:.\d.px;.height:.\d.px;.background-color:.rgb\(244, 188, 65\);">.{0,10}</td>'
    )
  )
  or regex.icontains(body.html.raw,
                     '<td style="BACKGROUND-COLOR: red".*?<td style="BACKGROUND-COLOR: rgb\(19,186,132\)".*?<td style="BACKGROUND-COLOR: rgb\(4,166,240\)".*?<td style="BACKGROUND-COLOR: rgb\(255,186,8\)"'
  )
  or 4 of (
    regex.icontains(body.html.raw, 'background-color:rgb\(213,56,62\)'),
    regex.icontains(body.html.raw, 'background-color:rgb\(0,114,30\)'),
    regex.icontains(body.html.raw, 'background-color:rgb\(0,110,173\)'),
    regex.icontains(body.html.raw, 'background-color:rgb\(227,209,43\)'),
  )
  or 4 of (
    regex.icontains(body.html.raw, '<td[^>]*bgcolor="#F25022">&nbsp;</td>'),
    regex.icontains(body.html.raw, '<td[^>]*bgcolor="#7FBA00">&nbsp;</td>'),
    regex.icontains(body.html.raw,
                    '<td[^>]*(bgcolor="#00A4EF"|height="\d+")[^>]*(bgcolor="#00A4EF"|height="\d+")[^>]*>&nbsp;</td>'
    ),
    regex.icontains(body.html.raw,
                    '<td[^>]*(bgcolor="#FFB900"|height="\d+")[^>]*(bgcolor="#FFB900"|height="\d+")[^>]*>&nbsp;</td>'
    )
  )
  or regex.icontains(body.html.raw,
                     '<DIV[^>]*><SPAN[^>]*background-color:\s*#FF1940;[^>]*><\/SPAN><SPAN[^>]*background-color:\s*#36ba57;[^>]*><\/SPAN><SPAN[^>]*background-color:\s*#04a1d6;[^>]*><\/SPAN><SPAN[^>]*background-color:\s*#FFCA07;[^>]*><\/SPAN><\/DIV>'
  )
  or 3 of (
    regex.icontains(body.html.raw, '.password-expiration'),
    regex.icontains(body.html.raw, 'color: #2672ec;'),
    regex.icontains(body.html.raw, 'M\x{00AD}ic\x{00AD}ro\x{00AD}so\x{00AD}ft')
  )
  or 4 of (
    regex.icontains(body.html.raw, 'background-color:#FF1940;'),
    regex.icontains(body.html.raw, 'background-color:#3eb55d;'),
    regex.icontains(body.html.raw, 'background-color:#04B5F0;'),
    regex.icontains(body.html.raw, 'background-color:#FFCA07;'),
  )
  or 4 of (
    regex.icontains(body.html.raw, 'bgcolor="#eb5024"'),
    regex.icontains(body.html.raw, 'bgcolor="#7db606"'),
    regex.icontains(body.html.raw, 'bgcolor="#05a1e8"'),
    regex.icontains(body.html.raw, 'bgcolor="#f7b408"'),
  )
  or 4 of (
    regex.icontains(body.html.raw, '<td style="background: #E74F23;'),
    regex.icontains(body.html.raw, '<td style="background: #7AB206;'),
    regex.icontains(body.html.raw, '<td style="background: #059EE4;'),
    regex.icontains(body.html.raw, '<td style="background: #F2B108;'),
  )
  or 4 of (
    regex.icontains(body.html.raw, 'background-color:rgb\(246,93,53\)'),
    regex.icontains(body.html.raw, 'background-color:rgb\(129,187,5\)'),
    regex.icontains(body.html.raw, 'background-color:rgb\(4,165,240\)'),
    regex.icontains(body.html.raw, 'background-color:rgb\(255,186,7\)')
  )
  and 3 of (
    strings.icontains(body.current_thread.text, "review"),
    strings.icontains(body.current_thread.text, "release"),
    strings.icontains(body.current_thread.text, "quarantine"),
    strings.icontains(body.current_thread.text, "messages"),
    strings.icontains(body.current_thread.text, "recover"),
    strings.icontains(body.current_thread.text, "server error")
  )
  and sender.email.domain.root_domain not in (
    "bing.com",
    "microsoft.com",
    "microsoftonline.com",
    "microsoftsupport.com",
    "microsoft365.com",
    "office.com",
    "onedrive.com",
    "sharepointonline.com",
    "yammer.com",
  )
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and (
      any(distinct(headers.hops, .authentication_results.dmarc is not null),
          strings.ilike(.authentication_results.dmarc, "*fail")
      )
    )
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().solicited
and not profile.by_sender().any_messages_benign
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started