• Sublime Core Feed
Medium Severity

Brand Impersonation: Microsoft Planner With Suspicious Link

Labels

Credential Phishing
Evasion
Image as content
Impersonation: Brand
Social engineering
Content analysis
Header analysis
Natural Language Understanding
Sender analysis
URL analysis

Description

Impersonation of Microsoft Planner, a component of the Microsoft 365 software suite.

References

No references.

Sublime Security
Created Aug 27th, 2024 • Last updated Oct 9th, 2024
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
// suspicious link 
and any(body.links,
        (
          .href_url.domain.root_domain not in $tranco_1m
          or .href_url.domain.domain in $free_file_hosts
          or .href_url.domain.root_domain in $free_file_hosts
          or .href_url.domain.root_domain in $free_subdomain_hosts
          or .href_url.domain.domain in $url_shorteners
          or 

          // mass mailer link, masks the actual URL
          .href_url.domain.root_domain in (
            "hubspotlinks.com",
            "mandrillapp.com",
            "sendgrid.net",
            "rs6.net"
          )

          // Google AMP redirect
          or (
            .href_url.domain.sld == "google"
            and strings.starts_with(.href_url.path, "/amp/")
          )

          // Recipient email address in link
          or any(body.links,
                 any(recipients.to,
                     strings.icontains(..href_url.url, .email.email)
                     and any(recipients.to, .email.domain.valid)
                 )
          )
          or .href_url.domain.root_domain == "beehiiv.com"
        )

        // exclude sources of potential FPs
        and (
          .href_url.domain.root_domain not in (
            "svc.ms",
            "sharepoint.com",
            "1drv.ms",
            "microsoft.com",
            "aka.ms",
            "msftauthimages.net",
            "mimecastprotect.com",
            "office.com",
            "microsoftproject.com"
          )
          or any(body.links, .href_url.domain.domain in $free_file_hosts)
        )
        and .href_url.domain.root_domain not in $org_domains
        and .href_url.domain.valid
        and regex.icontains(.display_text,
                            "(go.?to|view|show|display|access|open.?in) (team|planner|group|task|browser)"
        )
)

// not a reply
and (
  length(headers.references) == 0
  or not any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
)

// Planner logo
// LogoDetect coming soon
and (
  all(attachments,
      .file_type in $file_types_images
      and any(file.explode(.),
              // small, relatively square image
              (
                .scan.exiftool.image_height / .scan.exiftool.image_width
              ) > 0.9
              and (.scan.exiftool.image_height + .scan.exiftool.image_width) < 500
      )
  )
)

// suspicious content
and (
  2 of (
    strings.ilike(body.current_thread.text, "*assigned*new team*"),
    strings.ilike(body.current_thread.text, "*Microsoft Office 365*"),
    strings.ilike(body.current_thread.text, "*internal planner*"),
    strings.ilike(body.current_thread.text, "*internal task*"),
    any(recipients.to,
        strings.icontains(body.current_thread.text, .email.domain.sld)
    )
  )
  or (
    any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "cred_theft" and .confidence in~ ("medium", "high")
    )
  )
  // multiple links, but all the same root domain
  or (
    length(distinct(body.links, .href_url.domain.root_domain)) == 1
    and 2 < length(body.links) < 10
    and all(body.links, .href_url.domain.root_domain != sender.email.domain.root_domain)
  )
)
and sender.email.domain.root_domain not in (
  "bing.com",
  "microsoft.com",
  "microsoftonline.com",
  "microsoftproject.com",
  "microsoftstoreemail.com",
  "microsoftsupport.com",
  "microsoft365.com",
  "office.com",
  "office365.com",
  "onedrive.com",
  "sharepointonline.com",
  "yammer.com",
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_false_positives
  )
)
and not profile.by_sender().any_false_positives

// exclude marketing jargon from ms partners
and not regex.icontains(body.current_thread.text,
                        '(schedul(e|ing)|set up).{0,20}(call|meeting|demo|zoom|conversation|time|tool|discussion)|book.{0,10}(meeting|demo|call|slot|time)|connect.{0,12}(with me|phone|email)|my.{0,10}(calendar|cal)|reserve.{0,10}s[pl]ot|break the ice|want to know more?|miss your chance|if you no longer wish|if you no longer want|if you wish to opt out|low-code (development|approach|solution|journey|platform)|invite.{0,30}(webinar|presentation)'
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started