Medium Severity

Attachment: Microsoft-branded HTML File (Unsolicited)

Labels

No labels.

Description

A unsolicited attachment with a HTML file format, sent by a first time sender or known-bad source, that includes Microsoft branding. Often leveraged for malware delivery, e.g. Bumblebee.

References

https://delivr.to/payloads?id=37541776-bc8e-4af7-a54e-de97052ec092

https://twitter.com/0xtoxin/status/1722915203040354656

@delivr_to

Created Nov 10th, 2023 • Last updated Apr 22nd, 2024

Feed Source

delivr.to Feed

Source

GitHub

type.inbound

and (
    (
        not profile.by_sender_email().solicited
        and profile.by_sender_email().prevalence in ("new", "outlier")
    )
    or (
        profile.by_sender_email().any_messages_malicious_or_spam
        and not profile.by_sender_email().any_false_positives
    )
    or sender.email.domain.domain == "delivrto.me"
)

and any(attachments,
    // HTML file format
    (
        regex.imatch(.file_extension, '^[sdx]{0,1}ht[ml]{0,2}') or 
        .file_type == "html"
    )
    // Some MS branding present
    and 1 of (
        // HTML screenshot indicates MS branding
        any(ml.logo_detect(file.html_screenshot(.)).brands,
            strings.starts_with(.name, "Microsoft")
        ),
        // HTML content indicates MS branding
        any(ml.logo_detect(.).brands,
            strings.starts_with(.name, "Microsoft")
        ),
        // HTML page title is MS related
        any(file.explode(.), 
            strings.ilike(.scan.html.title, 
                "*Microsoft*", 
                "*Teams*", 
                "*One*Drive*", 
                "*Share*Point*", 
                "*Office*365*"
            )
        )
    )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started