Medium Severity

Link: Microsoft impersonation using hosted png with suspicious link

Labels

Credential Phishing

Impersonation: Brand

Social engineering

Content analysis

Natural Language Understanding

Sender analysis

URL analysis

Description

Detects messages with a link to a Microsoft hosted logo where the sender's display name and the display text of a link in the body are in all caps, and a request is being made from a first-time sender.

References

No references.

Sublime Security

Created Aug 17th, 2023 • Last updated Jul 16th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound

// display name is in all caps
and regex.match(sender.display_name, '[A-Z ]+')

// the sender is not microsoft
and sender.email.domain.root_domain not in~ ('microsoft.com', 'microsoftsupport.com', 'office.com')

// logo hosted on microsoft.com
and any(body.links,
        regex.icontains(.display_url.url, '.{0,50}microsoft\.com\/.{0,70}logo.{0,25}\.png')
)

// and at least one link display text is in all caps
and any(body.links, regex.icontains(.display_text, '[VIEW|CLICK|DOWNLOAD|CHECK]'))

// request being made
and any(ml.nlu_classifier(body.html.inner_text).entities, .name == "request")

// sender domain matches no body domains
and not any(body.links,
            .href_url.domain.root_domain == sender.email.domain.root_domain
            and .href_url.domain.root_domain not in $tranco_1m
)

// org domain in the subject of the message
and any($org_domains, strings.icontains(subject.subject, .))
and (
  profile.by_sender().prevalence in ("new", "outlier")
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.