-
Notifications
You must be signed in to change notification settings - Fork 50
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
New Rule: Brand impersonation: Microsoft fake sign-in alert (#661)
Co-authored-by: ID Generator <[email protected]> Co-authored-by: Josh Kamdjou <[email protected]>
- Loading branch information
1 parent
a359ab6
commit e12e8de
Showing
1 changed file
with
96 additions
and
0 deletions.
There are no files selected for viewing
96 changes: 96 additions & 0 deletions
96
detection-rules/impersonation_microsoft_fake_sign_in_alert.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,96 @@ | ||
name: "Brand impersonation: Microsoft fake sign-in alert" | ||
description: | | ||
Detects messages impersonating Microsoft that mimic sign-in security alerts and attempt to solicit a response. | ||
type: "rule" | ||
severity: "medium" | ||
source: | | ||
type.inbound | ||
// no links found in body | ||
and length(body.links) == 0 | ||
// Microsoft strings | ||
and ( | ||
strings.contains(subject.subject, "Microsoft") | ||
or strings.contains(sender.display_name, "Microsoft") | ||
or strings.contains(body.current_thread.text, "Microsoft") | ||
or ( | ||
// or Microsoft Brand logo | ||
any(attachments, | ||
.file_type in ('png', 'jpeg', 'jpg', 'bmp') | ||
and any(ml.logo_detect(.).brands, strings.starts_with(.name, "Microsoft")) | ||
) | ||
) | ||
) | ||
// Body contains Indicators of fake sign in notification | ||
and ( | ||
regex.contains(body.current_thread.text, | ||
'(Country.region:.{0,20}IP address:|Platform:.{0,20}Browser:)' | ||
) | ||
or regex.contains(body.current_thread.text, "Unusual.{0,10}activity") | ||
) | ||
and ( | ||
// If the sender is freemail | ||
sender.email.domain.domain in $free_email_providers | ||
or ( | ||
// sender is not freemail, but the return path email or reply to email is | ||
sender.email.domain.domain not in $free_email_providers | ||
and ( | ||
headers.return_path.domain.root_domain in $free_email_providers | ||
or ( | ||
length(headers.reply_to) > 0 | ||
and ( | ||
all(headers.reply_to, .email.domain.root_domain in $free_email_providers) | ||
) | ||
) | ||
or ( | ||
// if all replyto domain, return_path domain, sender domain mismatch | ||
length(headers.reply_to) > 0 | ||
and all(headers.reply_to, | ||
.email.domain.domain != headers.return_path.domain.domain | ||
and headers.return_path.domain.domain != sender.email.domain.domain | ||
) | ||
) | ||
// or the domain is less than 90 days old | ||
or beta.whois(sender.email.domain).days_old <= 90 | ||
or ( | ||
// or Compauth verdict is not pass/softpass | ||
any(headers.hops, | ||
.authentication_results.compauth.verdict is not null | ||
and .authentication_results.compauth.verdict not in ("pass", "softpass") | ||
) | ||
) | ||
) | ||
) | ||
) | ||
and sender.email.domain.root_domain not in ( | ||
"bing.com", | ||
"microsoft.com", | ||
"microsoftonline.com", | ||
"microsoftsupport.com", | ||
"microsoft365.com", | ||
"office.com", | ||
"onedrive.com", | ||
"sharepointonline.com", | ||
"yammer.com", | ||
) | ||
attack_types: | ||
- "Credential Phishing" | ||
tactics_and_techniques: | ||
- "Impersonation: Brand" | ||
- "Social engineering" | ||
detection_methods: | ||
- "Computer Vision" | ||
- "Content analysis" | ||
- "File analysis" | ||
- "Header analysis" | ||
- "Sender analysis" | ||
- "Whois" | ||
id: "3f4c9e7a-4d85-5bee-bc8c-3a737924c236" |