High Severity

Brand impersonation: Microsoft (QR code)

Labels

Credential Phishing

Impersonation: Brand

Description

Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.

References

No references.

Sublime Security

Created Aug 17th, 2023 • Last updated Feb 7th, 2024

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and (
  any(attachments,
      (
        .file_type in $file_types_images
        or .file_type == "pdf"
        or .file_type in~ $file_extensions_macros
      )
      and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
  )
  or any(ml.logo_detect(beta.message_screenshot()).brands,
         strings.starts_with(.name, "Microsoft")
  )
)
and any(attachments,
        (
          .file_type in $file_types_images
          or .file_type == "pdf"
          or .file_type in $file_extensions_macros
        )
        and (
          any(file.explode(.),
              regex.icontains(.scan.ocr.raw, 'scan|camera')
              and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
          )
          or (
            any(file.explode(.),
                .scan.qr.type == "url"
                // recipient email address is present in the URL, a common tactic used in credential phishing attacks 
                and any(recipients.to,
                        (
                          (strings.icontains(..scan.qr.data, .email.email))

                          // the recipients sld is in the senders display name
                          or any(recipients.to,
                                 strings.icontains(sender.display_name,
                                                   .email.domain.sld
                                 )
                          )

                          // the recipient local is in the body  
                          or any(recipients.to,
                                 strings.icontains(body.current_thread.text,
                                                   .email.local_part
                                 )
                          )

                          // or the body is null 
                          or body.current_thread.text is null
                          or body.current_thread.text == ""

                          // or the subject contains authentication/urgency verbiage
                          or regex.contains(subject.subject,
                                            "(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)"
                          )
                        )
                        and (.email.domain.valid or strings.icontains(.display_name, "undisclosed"))
                )
            )
          )
        )
)
and (
  not any(headers.hops,
          .authentication_results.compauth.verdict is not null
          and .authentication_results.compauth.verdict == "pass"
          and sender.email.domain.domain == "microsoft.com"
  )
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_false_positives
  )
)

and not profile.by_sender().any_false_positives

MQL Console

•

View MQL Guide

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.