High Severity
Brand impersonation: Microsoft (QR code)
Description
Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
References
No references.
Sublime Security
Created Aug 17th, 2023 • Last updated Feb 7th, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
and (
any(attachments,
(
.file_type in $file_types_images
or .file_type == "pdf"
or .file_type in~ $file_extensions_macros
)
and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
)
or any(ml.logo_detect(beta.message_screenshot()).brands,
strings.starts_with(.name, "Microsoft")
)
)
and any(attachments,
(
.file_type in $file_types_images
or .file_type == "pdf"
or .file_type in $file_extensions_macros
)
and (
any(file.explode(.),
regex.icontains(.scan.ocr.raw, 'scan|camera')
and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
)
or (
any(file.explode(.),
.scan.qr.type == "url"
// recipient email address is present in the URL, a common tactic used in credential phishing attacks
and any(recipients.to,
(
(strings.icontains(..scan.qr.data, .email.email))
// the recipients sld is in the senders display name
or any(recipients.to,
strings.icontains(sender.display_name,
.email.domain.sld
)
)
// the recipient local is in the body
or any(recipients.to,
strings.icontains(body.current_thread.text,
.email.local_part
)
)
// or the body is null
or body.current_thread.text is null
or body.current_thread.text == ""
// or the subject contains authentication/urgency verbiage
or regex.contains(subject.subject,
"(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)"
)
)
and (.email.domain.valid or strings.icontains(.display_name, "undisclosed"))
)
)
)
)
)
and (
not any(headers.hops,
.authentication_results.compauth.verdict is not null
and .authentication_results.compauth.verdict == "pass"
and sender.email.domain.domain == "microsoft.com"
)
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
)
and not profile.by_sender().any_false_positives
Playground
Test against your own EMLs or sample data.