detection.wiki

Detection rules › Sublime MQL

Attachment: Microsoft impersonation via PDF with link and suspicious language

Severity
high
Type
rule
Source
github.com/sublime-security/sublime-rules

Attached PDF contains a Microsoft-affilated logo, suspicious language or keywords, and a link. Known malware delivery method.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing, Malware/Ransomware
Tactics and techniquesImage as content, Impersonation: Brand, PDF, Scripting, Social engineering

Event coverage

Message attribute
attachments (collection)
headers (collection)
headers.auth_summary
headers.hops (collection)
sender.email
type

Rule body MQL

type.inbound
and (
  any(attachments,
      (.file_extension == "pdf" or .file_type == "pdf")
      and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
  )
)
and any(attachments,
        (.file_extension == "pdf" or .file_type == "pdf")
        and any(file.explode(.),
                (
                  length(filter([
                                  "password",
                                  "unread messages",
                                  "Shared Documents",
                                  "expiration",
                                  "expire",
                                  "expiring",
                                  "kindly",
                                  "renew",
                                  "review",
                                  "emails failed",
                                  "kicked out",
                                  "prevented",
                                  "storage",
                                  "required now",
                                  "cache",
                                  "qr code",
                                  "security update",
                                  "invoice",
                                  "retrieve",
                                  'engine failed',
                                  'OneDrive Error',
                                  'problem connecting',                                  
                                  'secure file',
                                  'access'
                                ],
                                strings.icontains(..scan.ocr.raw, .)
                         )
                  ) >= 2
                  or any(ml.nlu_classifier(.scan.ocr.raw).intents,
                         .name == "cred_theft" and .confidence == "high"
                  )
                )
                and (length(.scan.url.urls) > 0 or length(.scan.pdf.urls) > 0)
        )
)
and (
  not any(headers.hops,
          .authentication_results.compauth.verdict is not null
          and .authentication_results.compauth.verdict == "pass"
          and sender.email.domain.domain in (
            "microsoft.com",
            "sharepointonline.com"
          )
  )
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

Detection logic

Scope: inbound message.

Attached PDF contains a Microsoft-affilated logo, suspicious language or keywords, and a link. Known malware delivery method.

  1. inbound message
  2. any of attachments where all hold:
    • any of:
      • .file_extension is 'pdf'
      • .file_type is 'pdf'
    • any of ml.logo_detect(.).brands where:
      • .name starts with 'Microsoft'
  3. any of attachments where all hold:
    • any of:
      • .file_extension is 'pdf'
      • .file_type is 'pdf'
    • any of file.explode(.) where all hold:
      • any of:
        • length(filter(['password', 'unread messages', 'Shared Documents', 'expiration', 'expire', 'expiring', 'kindly', 'renew', 'review', 'emails failed', 'kicked out', 'prevented', 'storage', 'required now', 'cache', 'qr code', 'security update', 'invoice', 'retrieve', 'engine failed', 'OneDrive Error', 'problem connecting', 'secure file', 'access'], strings.icontains(.scan.ocr.raw, .))) ≥ 2
        • any of ml.nlu_classifier(.scan.ocr.raw).intents where all hold:
          • .name is 'cred_theft'
          • .confidence is 'high'
      • any of:
        • length(.scan.url.urls) > 0
        • length(.scan.pdf.urls) > 0
  4. not:
    • any of headers.hops where all hold:
      • .authentication_results.compauth.verdict is set
      • .authentication_results.compauth.verdict is 'pass'
      • sender.email.domain.domain in ('microsoft.com', 'sharepointonline.com')
  5. any of:
    • all of:
      • sender.email.domain.root_domain in $high_trust_sender_root_domains
      • not:
        • headers.auth_summary.dmarc.pass
    • sender.email.domain.root_domain not in $high_trust_sender_root_domains

Inspects: attachments[].file_extension, attachments[].file_type, headers.auth_summary.dmarc.pass, headers.hops, headers.hops[].authentication_results.compauth.verdict, sender.email.domain.domain, sender.email.domain.root_domain, type.inbound. Sensors: file.explode, ml.logo_detect, ml.nlu_classifier, strings.icontains, strings.starts_with. Reference lists: $high_trust_sender_root_domains.

Indicators matched (8)

FieldMatchValue
attachments[].file_extensionequalspdf
attachments[].file_typeequalspdf
strings.starts_withprefixMicrosoft
ml.nlu_classifier(file.explode(attachments[])[].scan.ocr.raw).intents[].nameequalscred_theft
ml.nlu_classifier(file.explode(attachments[])[].scan.ocr.raw).intents[].confidenceequalshigh
headers.hops[].authentication_results.compauth.verdictequalspass
sender.email.domain.domainmembermicrosoft.com
sender.email.domain.domainmembersharepointonline.com