High Severity
Brand impersonation: Microsoft quarantine release notification in body
Description
Message containing suspicious quarantine release language in the body, and a Microsoft logo attachment but did not come from Microsoft.
References
No references.
Sublime Security
Created May 10th, 2024 • Last updated Jul 16th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and length(filter(attachments, .file_type not in $file_types_images)) == 0
and any(attachments,
any(file.explode(.),
(
// attachment is most likely only a logo
(
length(.scan.ocr.raw) < 15 or .scan.ocr.raw is null
)
and any(ml.logo_detect(..).brands,
strings.starts_with(.name, "Microsoft")
)
)
)
and (
3 of (
strings.ilike(body.current_thread.text, "*review*"),
strings.ilike(body.current_thread.text, "*release*"),
strings.ilike(body.current_thread.text, "*quarantine*"),
strings.ilike(body.current_thread.text, "*messages*"),
strings.ilike(body.current_thread.text, "*blocked*"),
strings.ilike(body.current_thread.text, "*notification*"),
strings.ilike(body.current_thread.text, "*kindly*")
)
)
)
and sender.email.domain.root_domain not in (
"bing.com",
"microsoft.com",
"microsoftonline.com",
"microsoftsupport.com",
"microsoft365.com",
"office.com",
"office365.com",
"onedrive.com",
"sharepointonline.com",
"yammer.com",
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().solicited
and not profile.by_sender().any_messages_benign
Playground
Test against your own EMLs or sample data.