Skip to content

Commit

Permalink
New Rule: Brand impersonation: Microsoft fake sign-in alert (#661)
Browse files Browse the repository at this point in the history
Co-authored-by: ID Generator <[email protected]>
Co-authored-by: Josh Kamdjou <[email protected]>
  • Loading branch information
3 people authored Aug 15, 2023
1 parent a359ab6 commit e12e8de
Showing 1 changed file with 96 additions and 0 deletions.
96 changes: 96 additions & 0 deletions detection-rules/impersonation_microsoft_fake_sign_in_alert.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
name: "Brand impersonation: Microsoft fake sign-in alert"
description: |
Detects messages impersonating Microsoft that mimic sign-in security alerts and attempt to solicit a response.
type: "rule"
severity: "medium"
source: |
type.inbound
// no links found in body
and length(body.links) == 0
// Microsoft strings
and (
strings.contains(subject.subject, "Microsoft")
or strings.contains(sender.display_name, "Microsoft")
or strings.contains(body.current_thread.text, "Microsoft")
or (
// or Microsoft Brand logo
any(attachments,
.file_type in ('png', 'jpeg', 'jpg', 'bmp')
and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft"))
)
)
)
// Body contains Indicators of fake sign in notification
and (
regex.contains(body.current_thread.text,
'(Country.region:.{0,20}IP address:|Platform:.{0,20}Browser:)'
)
or regex.contains(body.current_thread.text, "Unusual.{0,10}activity")
)
and (
// If the sender is freemail
sender.email.domain.domain in $free_email_providers
or (
// sender is not freemail, but the return path email or reply to email is
sender.email.domain.domain not in $free_email_providers
and (
headers.return_path.domain.root_domain in $free_email_providers
or (
length(headers.reply_to) > 0
and (
all(headers.reply_to, .email.domain.root_domain in $free_email_providers)
)
)
or (
// if all replyto domain, return_path domain, sender domain mismatch
length(headers.reply_to) > 0
and all(headers.reply_to,
.email.domain.domain != headers.return_path.domain.domain
and headers.return_path.domain.domain != sender.email.domain.domain
)
)
// or the domain is less than 90 days old
or beta.whois(sender.email.domain).days_old <= 90
or (
// or Compauth verdict is not pass/softpass
any(headers.hops,
.authentication_results.compauth.verdict is not null
and .authentication_results.compauth.verdict not in ("pass", "softpass")
)
)
)
)
)
and sender.email.domain.root_domain not in (
"bing.com",
"microsoft.com",
"microsoftonline.com",
"microsoftsupport.com",
"microsoft365.com",
"office.com",
"onedrive.com",
"sharepointonline.com",
"yammer.com",
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Computer Vision"
- "Content analysis"
- "File analysis"
- "Header analysis"
- "Sender analysis"
- "Whois"
id: "3f4c9e7a-4d85-5bee-bc8c-3a737924c236"

0 comments on commit e12e8de

Please sign in to comment.