Link: Microsoft Dynamics 365 form phishing

type.inbound
and any(body.links,
        .href_url.domain.domain in (
          "ncv.microsoft.com",
          "customervoice.microsoft.com"
        )
        and ml.link_analysis(.).effective_url.domain.domain == "customervoice.microsoft.com"

        // confirm it is a form
        and (
          any(ml.link_analysis(.).final_dom.links,
              .href_url.domain.domain == "cdn.forms.office.net"
          )
          or strings.icontains(ml.link_analysis(.).final_dom.raw,
                               "cdn.forms.office.net"
          )
          or .href_url.path == "/Pages/ResponsePage.aspx"
        )

        // analyze for credential phishing signals
        and (
          //
          // This rule makes use of a beta feature and is subject to change without notice
          // using the beta feature in custom rules is not suggested until it has been formally released
          //
          any(ml.nlu_classifier(beta.ocr(ml.link_analysis(.).screenshot).text).intents,
              .name == "cred_theft" and .confidence != "low"
          )
          or any(ml.nlu_classifier(body.current_thread.text).intents,
                 .name == "cred_theft" and .confidence != "low"
          )
        )
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
and not profile.by_sender().any_messages_benign

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)