detection.wiki

Detection rules › Sublime MQL

Brand impersonation: Microsoft

Severity
high
Type
rule
Source
github.com/sublime-security/sublime-rules

Impersonation of the Microsoft brand.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesImpersonation: Brand, Social engineering

Event coverage

Message attribute
attachments (collection)
body
body.current_thread
body.links (collection)
headers.auth_summary
sender
sender.email
subject
type

Rule body MQL

type.inbound
and (
  length(body.links) < 30
  or sender.email.local_part == "newsletter" and length(body.links) < 5
)
and (
  (
    strings.ilike(subject.subject, '*Microsoft 365*')
    and strings.ilike(subject.subject, '*is expired*')
  )
  or (
    // should catch any instance of the word "expired"
    strings.ilike(body.current_thread.text, "*expir*")
    and strings.ilike(body.current_thread.text, "*password*")
    and strings.ilike(body.current_thread.text, "*microsoft*")
  )
  or regex.icontains(body.current_thread.text,
                     ".*reach you.{0,20}Microsoft Teams"
  )
  or strings.icontains(body.current_thread.text, "microsoft account team")
  or strings.ilike(sender.display_name, '*new activity in Teams*')
  or strings.icontains(strings.replace_confusables(sender.display_name),
                       'microsoft advertising support'
  )
  or subject.subject =~ 'Offline Message in Teams'
  or strings.ilike(subject.subject, '*Teams Sent A Message')
  or sender.display_name in~ (
    'Microsoft Partner Network',
    'Microsoft Advertising',
    'Microsoft',
    'Microsoft Feedback',
    'Microsoft account team',
    'Microsoft Support',
    'Microsoft 365 Message center',
    'Microsoft Azure'
  )
  or regex.icontains(sender.display_name,
                     "[MḾṀṂⱮМḿṁṃᵯⱮ𝐌𝑀][iíìîïīĭĩįıɪɨᵢⁱ𝐢𝑖][cćĉċčçƈȼ𝐜𝑐][rŕŗřȑȓɾᵣⁿʳ𝐫𝑟][oóòôõöøōŏőɵₒᵒº𝐨𝑜][sśŝšșşʂᵴˢˢ𝐬𝑠][oóòôõöøōŏőɵₒᵒº𝐨𝑜][fḟƒᵮᶠ𝐟𝑓][tťțţᵵₜᵗᵗ𝐭𝑡]"
  )
  or regex.icontains(sender.display_name,
                     "[MḾṀṂⱮМḿṁṃᵯⱮ𝐌𝑀][iíìîïīĭĩįıɪɨᵢⁱ𝐢𝑖][rŕŗřȑȓɾᵣⁿʳ𝐫𝑟][cćĉċčçƈȼ𝐜𝑐][oóòôõöøōŏőɵₒᵒº𝐨𝑜][sśŝšșşʂᵴˢˢ𝐬𝑠][oóòôõöøōŏőɵₒᵒº𝐨𝑜][fḟƒᵮᶠ𝐟𝑓][tťțţᵵₜᵗᵗ𝐭𝑡]" // [sic]
  )
)
and not (
  sender.email.domain.root_domain in~ (
    'microsoft.com',
    'microsoftstoreemail.com',
    'microsoftsupport.com',
    'office.com',
    'teams-events.com',
    'qualtrics-research.com',
    'skype.com',
    'azureadnotifications.us',
    'microsoftonline.us',
    'mail.microsoft',
    'office365.com',
    'microsoftadvertising.com'
  )
  and headers.auth_summary.dmarc.pass
)
and not (
  sender.email.domain.domain in~ (
    'microsoft.regsvc.com',
    'microsoft.onmicrosoft.com'
  )
  and headers.auth_summary.dmarc.pass
)
and (
  profile.by_sender().prevalence in ("new", "outlier")
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)

// negate legitimate Office 365 bouncebacks
and not (
  all(attachments,
      .content_type in ("message/delivery-status", "message/rfc822")
  )
  and (
    sender.email.local_part in ('postmaster', 'mailer-daemon')
    or strings.starts_with(sender.email.local_part, 'microsoftexchange')
  )
  and (
    strings.contains(subject.subject, 'Undeliverable:')
    or strings.contains(subject.subject, 'Blocked:')
    or strings.contains(subject.subject, 'Não é possível entregar:')
  )
)

// negate other legitimate MS notifications
and not (
  length(body.links) > 0
  and all(body.links,
          .href_url.domain.root_domain in (
            "aka.ms",
            "microsoftonline.com",
            "microsoft.com"
          )
          or .href_url.domain.tld == "microsoft"
  )
  and headers.auth_summary.dmarc.pass
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
// not a newsletter or advertisement
and not (
  any(ml.nlu_classifier(body.current_thread.text).topics,
      .name in ("Newsletters and Digests") and .confidence == "high"
  )
  and (
    any(body.links,
        strings.icontains(.display_text, "unsubscribe")
        and (strings.icontains(.href_url.path, "unsubscribe"))
    )
  )
)

Detection logic

Scope: inbound message.

Impersonation of the Microsoft brand.

  1. inbound message
  2. any of:
    • length(body.links) < 30
    • all of:
      • sender.email.local_part is 'newsletter'
      • length(body.links) < 5
  3. any of:
    • all of:
      • subject.subject matches '*Microsoft 365*'
      • subject.subject matches '*is expired*'
    • all of:
      • body.current_thread.text matches '*expir*'
      • body.current_thread.text matches '*password*'
      • body.current_thread.text matches '*microsoft*'
    • body.current_thread.text matches '.*reach you.{0,20}Microsoft Teams'
    • body.current_thread.text contains 'microsoft account team'
    • sender.display_name matches '*new activity in Teams*'
    • strings.replace_confusables(sender.display_name) contains 'microsoft advertising support'
    • subject.subject is 'Offline Message in Teams'
    • subject.subject matches '*Teams Sent A Message'
    • sender.display_name in ('Microsoft Partner Network', 'Microsoft Advertising', 'Microsoft', 'Microsoft Feedback', 'Microsoft account team', 'Microsoft Support', 'Microsoft 365 Message center', 'Microsoft Azure')
    • sender.display_name matches '[MḾṀṂⱮМḿṁṃᵯⱮ𝐌𝑀][iíìîïīĭĩįıɪɨᵢⁱ𝐢𝑖][cćĉċčçƈȼ𝐜𝑐][rŕŗřȑȓɾᵣⁿʳ𝐫𝑟][oóòôõöøōŏőɵₒᵒº𝐨𝑜][sśŝšșşʂᵴˢˢ𝐬𝑠][oóòôõöøōŏőɵₒᵒº𝐨𝑜][fḟƒᵮᶠ𝐟𝑓][tťțţᵵₜᵗᵗ𝐭𝑡]'
    • sender.display_name matches '[MḾṀṂⱮМḿṁṃᵯⱮ𝐌𝑀][iíìîïīĭĩįıɪɨᵢⁱ𝐢𝑖][rŕŗřȑȓɾᵣⁿʳ𝐫𝑟][cćĉċčçƈȼ𝐜𝑐][oóòôõöøōŏőɵₒᵒº𝐨𝑜][sśŝšșşʂᵴˢˢ𝐬𝑠][oóòôõöøōŏőɵₒᵒº𝐨𝑜][fḟƒᵮᶠ𝐟𝑓][tťțţᵵₜᵗᵗ𝐭𝑡]'
  4. not:
    • all of:
      • sender.email.domain.root_domain in ('microsoft.com', 'microsoftstoreemail.com', 'microsoftsupport.com', 'office.com', 'teams-events.com', 'qualtrics-research.com', 'skype.com', 'azureadnotifications.us', 'microsoftonline.us', 'mail.microsoft', 'office365.com', 'microsoftadvertising.com')
      • headers.auth_summary.dmarc.pass
  5. not:
    • all of:
      • sender.email.domain.domain in ('microsoft.regsvc.com', 'microsoft.onmicrosoft.com')
      • headers.auth_summary.dmarc.pass
  6. any of:
    • profile.by_sender().prevalence in ('new', 'outlier')
    • all of:
      • profile.by_sender().any_messages_malicious_or_spam
      • not:
        • profile.by_sender().any_messages_benign
  7. not:
    • all of:
      • all of attachments where:
        • .content_type in ('message/delivery-status', 'message/rfc822')
      • any of:
        • sender.email.local_part in ('postmaster', 'mailer-daemon')
        • sender.email.local_part starts with 'microsoftexchange'
      • any of:
        • subject.subject contains 'Undeliverable:'
        • subject.subject contains 'Blocked:'
        • subject.subject contains 'Não é possível entregar:'
  8. not:
    • all of:
      • length(body.links) > 0
      • all of body.links where any holds:
        • .href_url.domain.root_domain in ('aka.ms', 'microsoftonline.com', 'microsoft.com')
        • .href_url.domain.tld is 'microsoft'
      • headers.auth_summary.dmarc.pass
  9. any of:
    • all of:
      • sender.email.domain.root_domain in $high_trust_sender_root_domains
      • not:
        • headers.auth_summary.dmarc.pass
    • sender.email.domain.root_domain not in $high_trust_sender_root_domains
  10. not:
    • all of:
      • any of ml.nlu_classifier(body.current_thread.text).topics where all hold:
        • .name in ('Newsletters and Digests')
        • .confidence is 'high'
      • any of body.links where all hold:
        • .display_text contains 'unsubscribe'
        • .href_url.path contains 'unsubscribe'

Inspects: attachments[].content_type, body.current_thread.text, body.links, body.links[].display_text, body.links[].href_url.domain.root_domain, body.links[].href_url.domain.tld, body.links[].href_url.path, headers.auth_summary.dmarc.pass, sender.display_name, sender.email.domain.domain, sender.email.domain.root_domain, sender.email.local_part, subject.subject, type.inbound. Sensors: ml.nlu_classifier, profile.by_sender, regex.icontains, strings.contains, strings.icontains, strings.ilike, strings.replace_confusables, strings.starts_with. Reference lists: $high_trust_sender_root_domains.

Indicators matched (51)

FieldMatchValue
sender.email.local_partequalsnewsletter
strings.ilikesubstring*Microsoft 365*
strings.ilikesubstring*is expired*
strings.ilikesubstring*expir*
strings.ilikesubstring*password*
strings.ilikesubstring*microsoft*
regex.icontainsregex.*reach you.{0,20}Microsoft Teams
strings.icontainssubstringmicrosoft account team
strings.ilikesubstring*new activity in Teams*
strings.icontainssubstringmicrosoft advertising support
subject.subjectequalsOffline Message in Teams
strings.ilikesubstring*Teams Sent A Message
39 more
sender.display_namememberMicrosoft Partner Network
sender.display_namememberMicrosoft Advertising
sender.display_namememberMicrosoft
sender.display_namememberMicrosoft Feedback
sender.display_namememberMicrosoft account team
sender.display_namememberMicrosoft Support
sender.display_namememberMicrosoft 365 Message center
sender.display_namememberMicrosoft Azure
regex.icontainsregex[MḾṀṂⱮМḿṁṃᵯⱮ𝐌𝑀][iíìîïīĭĩįıɪɨᵢⁱ𝐢𝑖][cćĉċčçƈȼ𝐜𝑐][rŕŗřȑȓɾᵣⁿʳ𝐫𝑟][oóòôõöøōŏőɵₒᵒº𝐨𝑜][sśŝšșşʂᵴˢˢ𝐬𝑠][oóòôõöøōŏőɵₒᵒº𝐨𝑜][fḟƒᵮᶠ𝐟𝑓][tťțţᵵₜᵗᵗ𝐭𝑡]
regex.icontainsregex[MḾṀṂⱮМḿṁṃᵯⱮ𝐌𝑀][iíìîïīĭĩįıɪɨᵢⁱ𝐢𝑖][rŕŗřȑȓɾᵣⁿʳ𝐫𝑟][cćĉċčçƈȼ𝐜𝑐][oóòôõöøōŏőɵₒᵒº𝐨𝑜][sśŝšșşʂᵴˢˢ𝐬𝑠][oóòôõöøōŏőɵₒᵒº𝐨𝑜][fḟƒᵮᶠ𝐟𝑓][tťțţᵵₜᵗᵗ𝐭𝑡]
sender.email.domain.root_domainmembermicrosoft.com
sender.email.domain.root_domainmembermicrosoftstoreemail.com
sender.email.domain.root_domainmembermicrosoftsupport.com
sender.email.domain.root_domainmemberoffice.com
sender.email.domain.root_domainmemberteams-events.com
sender.email.domain.root_domainmemberqualtrics-research.com
sender.email.domain.root_domainmemberskype.com
sender.email.domain.root_domainmemberazureadnotifications.us
sender.email.domain.root_domainmembermicrosoftonline.us
sender.email.domain.root_domainmembermail.microsoft
sender.email.domain.root_domainmemberoffice365.com
sender.email.domain.root_domainmembermicrosoftadvertising.com
sender.email.domain.domainmembermicrosoft.regsvc.com
sender.email.domain.domainmembermicrosoft.onmicrosoft.com
attachments[].content_typemembermessage/delivery-status
attachments[].content_typemembermessage/rfc822
sender.email.local_partmemberpostmaster
sender.email.local_partmembermailer-daemon
strings.starts_withprefixmicrosoftexchange
strings.containssubstringUndeliverable:
strings.containssubstringBlocked:
strings.containssubstringNão é possível entregar:
body.links[].href_url.domain.root_domainmemberaka.ms
body.links[].href_url.domain.root_domainmembermicrosoftonline.com
body.links[].href_url.domain.root_domainmembermicrosoft.com
body.links[].href_url.domain.tldequalsmicrosoft
ml.nlu_classifier(body.current_thread.text).topics[].namememberNewsletters and Digests
ml.nlu_classifier(body.current_thread.text).topics[].confidenceequalshigh
strings.icontainssubstringunsubscribe