detection.wiki

Detection rules › Sublime MQL

Brand impersonation: Microsoft quarantine release notification in image attachment

Severity
high
Type
rule
Source
github.com/sublime-security/sublime-rules

Message with an image attachment containing credential theft language and references to the Microsoft Exchange quarantine, but did not come from Microsoft.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesFree file host, Impersonation: Brand, Social engineering

Event coverage

Message attribute
attachments (collection)
headers.auth_summary
sender.email
type

Rule body MQL

type.inbound
and length(filter(attachments, .file_type not in $file_types_images)) == 0
and any(attachments,
        any(file.explode(.),
            (
              any(ml.nlu_classifier(.scan.ocr.raw).intents,
                  .name == "cred_theft" and .confidence != "low"
              )
              or (
                length(ml.nlu_classifier(.scan.ocr.raw).intents) == 0
                and length(ml.nlu_classifier(.scan.ocr.raw).entities) > 2
              )
            )
            and (
              (
                any(ml.nlu_classifier(.scan.ocr.raw).entities,
                    .name == "urgency"
                )
              )
              or any(ml.nlu_classifier(.scan.ocr.raw).entities,
                     .name == "sender" and strings.icontains(.text, "Microsoft")
              )
            )
        )
        and any(file.explode(.),
                3 of (
                  strings.icontains(.scan.ocr.raw, "review"),
                  strings.icontains(.scan.ocr.raw, "release"),
                  strings.icontains(.scan.ocr.raw, "quarantine"),
                  strings.icontains(.scan.ocr.raw, "messages"),
                  strings.icontains(.scan.ocr.raw, "blocked"),
                  strings.icontains(.scan.ocr.raw, "notification"),
                  any(ml.logo_detect(..).brands,
                      strings.starts_with(.name, "Microsoft")
                  )
                )
        )
)
and sender.email.domain.root_domain not in (
  "bing.com",
  "microsoft.com",
  "microsoftonline.com",
  "microsoftsupport.com",
  "microsoft365.com",
  "office.com",
  "onedrive.com",
  "sharepointonline.com",
  "yammer.com",
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not profile.by_sender().solicited
and not profile.by_sender().any_messages_benign

Detection logic

Scope: inbound message.

Message with an image attachment containing credential theft language and references to the Microsoft Exchange quarantine, but did not come from Microsoft.

  1. inbound message
  2. length(filter(attachments, .file_type not in $file_types_images)) is 0
  3. any of attachments where all hold:
    • any of file.explode(.) where all hold:
      • any of:
        • any of ml.nlu_classifier(.scan.ocr.raw).intents where all hold:
          • .name is 'cred_theft'
          • .confidence is not 'low'
        • all of:
          • length(ml.nlu_classifier(.scan.ocr.raw).intents) is 0
          • length(ml.nlu_classifier(.scan.ocr.raw).entities) > 2
      • any of:
        • any of ml.nlu_classifier(.scan.ocr.raw).entities where:
          • .name is 'urgency'
        • any of ml.nlu_classifier(.scan.ocr.raw).entities where all hold:
          • .name is 'sender'
          • .text contains 'Microsoft'
    • any of file.explode(.) where:
      • at least 3 of:
        • .scan.ocr.raw contains 'review'
        • .scan.ocr.raw contains 'release'
        • .scan.ocr.raw contains 'quarantine'
        • .scan.ocr.raw contains 'messages'
        • .scan.ocr.raw contains 'blocked'
        • .scan.ocr.raw contains 'notification'
        • any of ml.logo_detect(.).brands where:
          • .name starts with 'Microsoft'
  4. sender.email.domain.root_domain not in ('bing.com', 'microsoft.com', 'microsoftonline.com', 'microsoftsupport.com', 'microsoft365.com', 'office.com', 'onedrive.com', 'sharepointonline.com', 'yammer.com')
  5. any of:
    • all of:
      • sender.email.domain.root_domain in $high_trust_sender_root_domains
      • not:
        • headers.auth_summary.dmarc.pass
    • sender.email.domain.root_domain not in $high_trust_sender_root_domains
  6. not:
    • profile.by_sender().solicited
  7. not:
    • profile.by_sender().any_messages_benign

Inspects: attachments[].file_type, headers.auth_summary.dmarc.pass, sender.email.domain.root_domain, type.inbound. Sensors: file.explode, ml.logo_detect, ml.nlu_classifier, profile.by_sender, strings.icontains, strings.starts_with. Reference lists: $file_types_images, $high_trust_sender_root_domains.

Indicators matched (20)

FieldMatchValue
ml.nlu_classifier(file.explode(attachments[])[].scan.ocr.raw).intents[].nameequalscred_theft
ml.nlu_classifier(file.explode(attachments[])[].scan.ocr.raw).entities[].nameequalsurgency
ml.nlu_classifier(file.explode(attachments[])[].scan.ocr.raw).entities[].nameequalssender
strings.icontainssubstringMicrosoft
strings.icontainssubstringreview
strings.icontainssubstringrelease
strings.icontainssubstringquarantine
strings.icontainssubstringmessages
strings.icontainssubstringblocked
strings.icontainssubstringnotification
strings.starts_withprefixMicrosoft
sender.email.domain.root_domainmemberbing.com
8 more
sender.email.domain.root_domainmembermicrosoft.com
sender.email.domain.root_domainmembermicrosoftonline.com
sender.email.domain.root_domainmembermicrosoftsupport.com
sender.email.domain.root_domainmembermicrosoft365.com
sender.email.domain.root_domainmemberoffice.com
sender.email.domain.root_domainmemberonedrive.com
sender.email.domain.root_domainmembersharepointonline.com
sender.email.domain.root_domainmemberyammer.com