Detection rules › Sublime MQL
Brand impersonation: Microsoft (QR code)
Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Impersonation: Brand, PDF, QR code, Social engineering |
Event coverage
Rule body MQL
type.inbound
and (
any(attachments,
(
.file_type in $file_types_images
or .file_type == "pdf"
or .file_type in~ $file_extensions_macros
)
and (
any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
or any(file.explode(.),
// for Office documents
.flavors.mime == "text/xml"
and any(.scan.strings.strings,
regex.icontains(.,
'Microsoft\s*(?:\w+(?:\s*\w+)?|[[:punct:]]+|\s+){0,3}\s*(?:Authenticat(?:e|or|ion)|2fa|Multi.Factor|(?:qr|bar).code|action.require|alert|Att(?:n|ention))'
)
)
)
)
)
or any(ml.logo_detect(file.message_screenshot()).brands,
strings.starts_with(.name, "Microsoft")
)
or (
// limited body length
length(body.current_thread.text) < 300
and any(filter(attachments,
.file_type in $file_types_images
// image attachments that are displayed in the body
// when the content-id is corrected, this will be much more simple
and (
any(regex.extract(.content_id, '^<(?P<cid>[^\>]+)\>$'),
strings.icontains(body.html.raw, .named_groups["cid"])
)
or strings.icontains(body.html.raw, .content_id)
)
),
// those images contain the wording
any(file.explode(.),
regex.icontains(.scan.ocr.raw,
'Microsoft\s*(?:\w+(?:\s*\w+)?|[[:punct:]]+|\s+){0,3}\s*(?:Authenticat(?:e|or|ion)|2fa|Multi.Factor|(?:qr|bar).code|action.require|alert|Att(?:n|ention))'
)
)
)
)
)
and any(attachments,
(
.file_type in $file_types_images
or .file_type == "pdf"
or .file_type in $file_extensions_macros
)
and (
any(file.explode(.),
regex.icontains(.scan.ocr.raw, 'scan|camera')
and regex.icontains(.scan.ocr.raw, '\bQR\b|Q\.R\.|barcode')
)
or (
any(file.explode(.),
.scan.qr.type == "url"
// recipient email address is present in the URL, a common tactic used in credential phishing attacks
and any(recipients.to,
(
(strings.icontains(..scan.qr.data, .email.email))
// the recipients sld is in the senders display name
or any(recipients.to,
strings.icontains(sender.display_name,
.email.domain.sld
)
)
// the recipient local is in the body
or any(recipients.to,
strings.icontains(body.current_thread.text,
.email.local_part
)
)
// or the body is null
or body.current_thread.text is null
or body.current_thread.text == ""
// or the subject contains authentication/urgency verbiage
or regex.contains(subject.subject,
"(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)"
)
)
and (
.email.domain.valid
or strings.icontains(.display_name, "undisclosed")
)
)
)
)
)
)
and (
not any(headers.hops,
.authentication_results.compauth.verdict is not null
and .authentication_results.compauth.verdict == "pass"
and sender.email.domain.domain == "microsoft.com"
)
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and not profile.by_sender().any_messages_benign
Detection logic
Scope: inbound message.
Detects messages using Microsoft image based lures, referencing or including a QR code from an Unsolicited sender. These messages often lead users to phishing sites or initiate unwanted downloads.
- inbound message
any of:
any of
attachmentswhere all hold:any of:
- .file_type in $file_types_images
- .file_type is 'pdf'
- .file_type in $file_extensions_macros
any of:
any of
ml.logo_detect(.).brandswhere:- .name starts with 'Microsoft'
any of
file.explode(.)where all hold:- .flavors.mime is 'text/xml'
any of
.scan.strings.stringswhere:- . matches 'Microsoft\\s*(?:\\w+(?:\\s*\\w+)?|[[:punct:]]+|\\s+){0,3}\\s*(?:Authenticat(?:e|or|ion)|2fa|Multi.Factor|(?:qr|bar).code|action.require|alert|Att(?:n|ention))'
any of
ml.logo_detect(file.message_screenshot()).brandswhere:- .name starts with 'Microsoft'
all of:
- length(body.current_thread.text) < 300
any of
filter(attachments)where:any of
file.explode(.)where:- .scan.ocr.raw matches 'Microsoft\\s*(?:\\w+(?:\\s*\\w+)?|[[:punct:]]+|\\s+){0,3}\\s*(?:Authenticat(?:e|or|ion)|2fa|Multi.Factor|(?:qr|bar).code|action.require|alert|Att(?:n|ention))'
any of
attachmentswhere all hold:any of:
- .file_type in $file_types_images
- .file_type is 'pdf'
- .file_type in $file_extensions_macros
any of:
any of
file.explode(.)where all hold:- .scan.ocr.raw matches 'scan|camera'
- .scan.ocr.raw matches '\\bQR\\b|Q\\.R\\.|barcode'
any of
file.explode(.)where all hold:- .scan.qr.type is 'url'
any of
recipients.towhere all hold:any of:
- strings.icontains(.scan.qr.data)
any of
recipients.towhere:- strings.icontains(sender.display_name)
any of
recipients.towhere:- strings.icontains(body.current_thread.text)
- body.current_thread.text is missing
- body.current_thread.text is ''
- subject.subject matches '(Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):)'
any of:
- .email.domain.valid
- .display_name contains 'undisclosed'
not:
any of
headers.hopswhere all hold:- .authentication_results.compauth.verdict is set
- .authentication_results.compauth.verdict is 'pass'
- sender.email.domain.domain is 'microsoft.com'
any of:
not:
- profile.by_sender().solicited
all of:
- profile.by_sender().any_messages_malicious_or_spam
not:
- profile.by_sender().any_messages_benign
not:
- profile.by_sender().any_messages_benign
Inspects: attachments[].content_id, attachments[].file_type, body.current_thread.text, body.html.raw, headers.hops, headers.hops[].authentication_results.compauth.verdict, recipients.to, recipients.to[].display_name, recipients.to[].email.domain.sld, recipients.to[].email.domain.valid, recipients.to[].email.email, recipients.to[].email.local_part, sender.display_name, sender.email.domain.domain, subject.subject, type.inbound. Sensors: file.explode, file.message_screenshot, ml.logo_detect, profile.by_sender, regex.contains, regex.extract, regex.icontains, strings.icontains, strings.starts_with. Reference lists: $file_extensions_macros, $file_types_images.
Indicators matched (13)
| Field | Match | Value |
|---|---|---|
attachments[].file_type | equals | pdf |
strings.starts_with | prefix | Microsoft |
file.explode(attachments[])[].flavors.mime | equals | text/xml |
regex.icontains | regex | Microsoft\s*(?:\w+(?:\s*\w+)?|[[:punct:]]+|\s+){0,3}\s*(?:Authenticat(?:e|or|ion)|2fa|Multi.Factor|(?:qr|bar).code|action.require|alert|Att(?:n|ention)) |
regex.extract | regex | ^<(?P<cid>[^\>]+)\>$ |
regex.icontains | regex | scan|camera |
regex.icontains | regex | \bQR\b|Q\.R\.|barcode |
file.explode(attachments[])[].scan.qr.type | equals | url |
body.current_thread.text | equals | |
regex.contains | regex | (Authenticat(e|or|ion)|2fa|Multi.Factor|(qr|bar).code|action.require|alert|Att(n|ention):) |
strings.icontains | substring | undisclosed |
headers.hops[].authentication_results.compauth.verdict | equals | pass |
1 more
sender.email.domain.domain | equals | microsoft.com |