High Severity
Brand impersonation: Microsoft quarantine release notification in image attachment
Description
Message with an image attachment containing credential theft language and references to the Microsoft Exchange quarantine, but did not come from Microsoft.
References
No references.
Sublime Security
Created Aug 17th, 2023 • Last updated Jun 27th, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
and length(filter(attachments, .file_type not in $file_types_images)) == 0
and any(attachments,
any(file.explode(.),
(
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft" and .confidence != "low"
)
or (
length(ml.nlu_classifier(.scan.ocr.raw).intents) == 0
and length(ml.nlu_classifier(.scan.ocr.raw).entities) > 2
)
)
and (
(
any(ml.nlu_classifier(.scan.ocr.raw).entities,
.name == "urgency"
)
)
or any(ml.nlu_classifier(.scan.ocr.raw).entities,
.name == "sender" and strings.icontains(.text, "Microsoft")
)
)
)
and any(file.explode(.),
3 of (
strings.icontains(.scan.ocr.raw, "review"),
strings.icontains(.scan.ocr.raw, "release"),
strings.icontains(.scan.ocr.raw, "quarantine"),
strings.icontains(.scan.ocr.raw, "messages"),
strings.icontains(.scan.ocr.raw, "blocked"),
strings.icontains(.scan.ocr.raw, "notification"),
any(ml.logo_detect(..).brands,
strings.starts_with(.name, "Microsoft")
)
)
)
)
and sender.email.domain.root_domain not in (
"bing.com",
"microsoft.com",
"microsoftonline.com",
"microsoftsupport.com",
"microsoft365.com",
"office.com",
"onedrive.com",
"sharepointonline.com",
"yammer.com",
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().solicited
and not profile.by_sender().any_false_positives
Playground
Test against your own EMLs or sample data.