High Severity
Brand impersonation: Microsoft with embedded logo and credential theft language
Description
This rule detects messages impersonating Microsoft via a logo and contains credential theft language. From a new and unsolicited sender.
References
No references.
Sublime Security
Created Nov 22nd, 2023 • Last updated Jan 10th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and (
(
length(attachments) > 0
and all(attachments,
.file_type in $file_types_images or .file_type == "pdf"
)
)
or length(attachments) == 0
)
and any(ml.logo_detect(beta.message_screenshot()).brands,
strings.starts_with(.name, "Microsoft")
)
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
or (
length(body.current_thread.text) == 0
and any(file.explode(beta.message_screenshot()),
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
)
)
)
and (
not (
headers.auth_summary.dmarc.pass
and headers.auth_summary.dmarc.details.from.domain in (
"azureadnotifications.us",
"microsoft.com",
"sharepointonline.com",
"cloudappsecurity.com",
"microsoftsupport.com",
"microsoft.onmicrosoft.com",
"yammer.com"
)
)
or headers.auth_summary.dmarc.pass is null
or headers.auth_summary.dmarc.details.from.domain is null
)
and not (
sender.email.domain.domain == "planner.office365.com"
and headers.return_path.email == "noreply@planner.office365.com"
and headers.auth_summary.dmarc.details.from.domain == "planner.office365.com"
)
// Microsoft has some legit onmicrosoft domains...
and not (
sender.email.domain.domain == "microsoft.onmicrosoft.com"
and headers.auth_summary.spf.pass
and all(body.links, .href_url.domain.root_domain == "microsoft.com")
)
// message is not from sharepoint actual (additional check in case DMARC check above fails to bail out)
and not (
strings.ilike(headers.message_id, '<Share-*', '<MassDelete-*')
and strings.ends_with(headers.message_id, '@odspnotify>')
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().any_false_positives
Playground
Test against your own EMLs or sample data.