diff --git a/detection-rules/link_microsoft_low_reputation.yml b/detection-rules/link_microsoft_low_reputation.yml new file mode 100644 index 00000000000..e2d59e39c58 --- /dev/null +++ b/detection-rules/link_microsoft_low_reputation.yml @@ -0,0 +1,24 @@ +name: "Brand impersonation: Microsoft with low reputation links" +description: "Detects low reputation links with Microsoft specific indicators in the body." +type: "rule" +severity: "medium" +source: "type.inbound\n// suspicious link\nand any(body.links,\n (\n .href_url.domain.root_domain not in $tranco_1m\n or .href_url.domain.domain in $free_file_hosts\n or .href_url.domain.root_domain in $free_subdomain_hosts\n or .href_url.domain.domain in $url_shorteners\n or \n\n // mass mailer link, masks the actual URL\n .href_url.domain.root_domain in (\n \"hubspotlinks.com\",\n \"mandrillapp.com\",\n \"sendgrid.net\",\n \"rs6.net\"\n )\n\n // Google AMP redirect\n or (\n .href_url.domain.sld == \"google\"\n and strings.starts_with(.href_url.path, \"/amp/\")\n )\n )\n\n // exclude sources of potential FPs\n and (\n .href_url.domain.root_domain not in (\n \"svc.ms\",\n \"sharepoint.com\",\n \"1drv.ms\",\n \"microsoft.com\",\n \"aka.ms\",\n \"msftauthimages.net\"\n )\n or any(body.links, .href_url.domain.domain in $free_file_hosts)\n )\n and .href_url.domain.root_domain not in $org_domains\n)\n\n// not a reply\nand (\n length(headers.references) == 0\n or not any(headers.hops, any(.fields, strings.ilike(.name, \"In-Reply-To\")))\n)\n\n// Microsoft logo\nand (\n any(attachments,\n .file_type in $file_types_images\n and any(ml.logo_detect(.).brands, strings.starts_with(.name, \"Microsoft\"))\n )\n or any(ml.logo_detect(beta.message_screenshot()).brands,\n strings.starts_with(.name, \"Microsoft\")\n )\n)\n\n// suspicious content\nand (\n (\n strings.ilike(body.plain.raw,\n \"*password*\",\n \"*document*\",\n \"*voicemail*\",\n \"*cache*\",\n \"*fax*\",\n \"*storage*\",\n \"*quota*\",\n \"*message*\"\n )\n and strings.ilike(body.plain.raw,\n \"*terminated*\",\n \"*review*\",\n \"*expire*\",\n \"*click*\",\n \"*view*\",\n \"*exceed*\",\n \"*clear*\",\n \"*only works*\",\n \"*failed*\",\n \"*deleted*\"\n )\n )\n or (\n any(attachments,\n .file_type in $file_types_images\n and any(file.explode(.),\n strings.ilike(.scan.ocr.raw,\n \"*password*\",\n \"*document*\",\n \"*voicemail*\",\n \"*cache*\",\n \"*fax*\",\n \"*storage*\",\n \"*quota*\",\n \"*messages*\"\n )\n and strings.ilike(.scan.ocr.raw,\n \"*terminated*\",\n \"*review*\",\n \"*expire*\",\n \"*click*\",\n \"*view*\",\n \"*exceed*\",\n \"*clear*\",\n \"*only works*\",\n \"*failed*\",\n \"*deleted*\"\n )\n )\n )\n )\n or (\n any(file.explode(beta.message_screenshot()),\n strings.ilike(.scan.ocr.raw,\n \"*password*\",\n \"*document*\",\n \"*voicemail*\",\n \"*cache*\",\n \"*fax*\",\n \"*storage*\",\n \"*quota*\",\n \"*messages*\"\n )\n and strings.ilike(.scan.ocr.raw,\n \"*terminated*\",\n \"*review*\",\n \"*expire*\",\n \"*click*\",\n \"*view*\",\n \"*exceed*\",\n \"*clear*\",\n \"*only works*\",\n \"*failed*\",\n \"*deleted*\"\n )\n )\n )\n)\n\nand (\n any(ml.nlu_classifier(body.current_thread.text).intents,\n .name == \"cred_theft\" and .confidence in~ (\"medium\", \"high\")\n )\n or any(attachments,\n .file_type in $file_types_images\n and any(file.explode(.),\n any(ml.nlu_classifier(.scan.ocr.raw).intents,\n .name == \"cred_theft\" and .confidence in (\"medium\", \"high\")\n )\n )\n )\n or (\n any(ml.nlu_classifier(body.html.inner_text).entities, .name == \"urgency\")\n and not any(ml.nlu_classifier(body.current_thread.text).intents,\n .name == \"benign\" and .confidence == \"high\"\n )\n )\n)\nand sender.email.domain.root_domain not in (\n \"bing.com\",\n \"microsoft.com\",\n \"microsoftonline.com\",\n \"microsoftsupport.com\",\n \"microsoft365.com\",\n \"office.com\",\n \"onedrive.com\",\n \"sharepointonline.com\",\n \"yammer.com\"\n)\n\n// negate highly trusted sender domains unless they fail DMARC authentication\nand (\n (\n sender.email.domain.root_domain in $high_trust_sender_root_domains\n and (\n any(distinct(headers.hops, .authentication_results.dmarc is not null),\n strings.ilike(.authentication_results.dmarc, \"*fail\")\n )\n )\n )\n or sender.email.domain.root_domain not in $high_trust_sender_root_domains\n)\n" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Free file host" + - "Image as content" + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Computer Vision" + - "Content analysis" + - "File analysis" + - "Header analysis" + - "Natural Language Understanding" + - "Optical Character Recognition" + - "Sender analysis" + - "URL analysis" +id: "b59201b6-f253-55a6-9c0a-e1500a32a751" +testing_pr: 908 +testing_sha: 158fc62c9aabf0e4d136775b0a8ea7d824d1c0e5