• Sublime Core Feed
High Severity

Brand impersonation: Microsoft logo or suspicious language with open redirect

Labels

BEC/Fraud
Impersonation: Brand
Open redirect
Social engineering
Computer Vision
Content analysis
Header analysis
Natural Language Understanding
Sender analysis
URL analysis

Description

Message contains a Microsoft logo or suspicious terms and use of an open redirect. This has been exploited in the wild to impersonate Microsoft.

References

No references.

Sublime Security
Created Aug 17th, 2023 • Last updated Mar 7th, 2024
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and (length(attachments) < 5 or length(body.links) < 10)
// Microsoft logo
and (
  any(attachments,
      .file_type in $file_types_images
      and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
  )
  or any(attachments,
         .file_type in $file_types_images
         and (
           any(file.explode(.),
               2 of (
                 strings.ilike(.scan.ocr.raw, "*password*"),
                 strings.ilike(.scan.ocr.raw, "*unread messages*"),
                 strings.ilike(.scan.ocr.raw, "*Shared Documents*"),
                 strings.ilike(.scan.ocr.raw, "*expiration*"),
                 strings.ilike(.scan.ocr.raw, "*office*"),
                 strings.ilike(.scan.ocr.raw, "*expire*"),
                 strings.ilike(.scan.ocr.raw, "*expiring*"),
                 strings.ilike(.scan.ocr.raw, "*kindly*"),
                 strings.ilike(.scan.ocr.raw, "*renew*"),
                 strings.ilike(.scan.ocr.raw, "*review"),
                 strings.ilike(.scan.ocr.raw, "*emails failed*"),
                 strings.ilike(.scan.ocr.raw, "*kicked out*"),
                 strings.ilike(.scan.ocr.raw, "*prevented*"),
                 strings.ilike(.scan.ocr.raw, "*storage quota*"),
                 strings.ilike(.scan.ocr.raw, "*required now"),
                 strings.ilike(.scan.ocr.raw, "*cache*"),
                 strings.ilike(.scan.ocr.raw, "*qr code*"),
                 strings.ilike(.scan.ocr.raw, "*barcode*"),
                 strings.ilike(.scan.ocr.raw, "*security update*"),
                 strings.ilike(.scan.ocr.raw, "*quarantine*")
               )
           )
         )
  )
)

// open redirect
and any(body.links,
        any(.href_url.rewrite.encoders, strings.icontains(., "open_redirect"))
        and not .href_url.domain.root_domain in $org_domains
)
and (
  not profile.by_sender().solicited
  or profile.by_sender().any_messages_malicious_or_spam
)
and not (
  length(headers.references) > 0
  or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)
and sender.email.domain.root_domain not in $org_domains
and sender.email.domain.root_domain not in (
  "bing.com",
  "microsoft.com",
  "microsoftonline.com",
  "microsoftstoreemail.com",
  "microsoftsupport.com",
  "microsoft365.com",
  "office.com",
  "onedrive.com",
  "sharepointonline.com",
  "yammer.com"
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started