[PR sublime-security#3733] added rule: Brand impersonation: Microsoft with embedded logo and credential theft language

github-actions[bot] · github-actions[bot] · commit d59f95ce423f · 2026-01-16T21:30:08.000Z
diff --git a/detection-rules/3733_impersonation_microsoft_credential_theft.yml b/detection-rules/3733_impersonation_microsoft_credential_theft.yml
@@ -0,0 +1,142 @@
+name: "Brand impersonation: Microsoft with embedded logo and credential theft language"
+description: "This rule detects messages impersonating Microsoft via a logo and contains credential theft language. From a new and unsolicited sender."
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and (
+    (
+      length(attachments) > 0
+      and all(attachments,
+              .file_type in $file_types_images or .file_type == "pdf"
+      )
+    )
+    or length(attachments) == 0
+  )
+  and any(ml.logo_detect(file.message_screenshot()).brands,
+          strings.starts_with(.name, "Microsoft")
+  )
+  and (
+    any(ml.nlu_classifier(body.current_thread.text).intents,
+        .name == "cred_theft" and .confidence in ("medium", "high")
+    )
+    or (
+      length(body.current_thread.text) == 0
+      //
+      // This rule makes use of a beta feature and is subject to change without notice
+      // using the beta feature in custom rules is not suggested until it has been formally released
+      //
+      and any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
+              .name == "cred_theft" and .confidence in ("medium", "high")
+      )
+    )
+  )
+  and (
+    not (
+      headers.auth_summary.dmarc.pass
+      and headers.auth_summary.dmarc.details.from.domain in (
+        "azureadnotifications.us",
+        "microsoft.com",
+        "sharepointonline.com",
+        "cloudappsecurity.com",
+        "microsoftsupport.com",
+        "microsoft.onmicrosoft.com",
+        "yammer.com"
+      )
+    )
+    or headers.auth_summary.dmarc.pass is null
+    or headers.auth_summary.dmarc.details.from.domain is null
+  )
+  and not (
+    sender.email.domain.domain == "planner.office365.com"
+    and headers.return_path.email == "noreply@planner.office365.com"
+    and headers.auth_summary.dmarc.details.from.root_domain == "office365.com"
+  )
+  // Microsoft has some legit onmicrosoft domains...
+  and not (
+    sender.email.domain.domain == "microsoft.onmicrosoft.com"
+    and headers.auth_summary.spf.pass
+    and all(body.links, .href_url.domain.root_domain == "microsoft.com")
+  )
+  // message is not from sharepoint actual (additional check in case DMARC check above fails to bail out)
+  and not (
+    (
+      strings.ilike(headers.message_id,
+                    '<Share-*',
+                    '<MassDelete-*',
+                    '<FileDeleteAfterExpiration-*',
+                    '<NotifyOwnerSharedWithExternalUsers*',
+                    '<OneTimePasscode*'
+      )
+      and strings.ends_with(headers.message_id, '@odspnotify>')
+    )
+    or (
+      any(headers.hops,
+          any(.fields,
+              .name == "X-Google-Original-Message-ID"
+              and strings.ilike(.value,
+                                '<Share-*',
+                                '<MassDelete-*',
+                                '<FileDeleteAfterExpiration-*',
+                                '<NotifyOwnerSharedWithExternalUsers*',
+                                '<OneTimePasscode*'
+              )
+              and strings.ends_with(.value, '@odspnotify>')
+          )
+      )
+    )
+  )
+  and (
+    not profile.by_sender().solicited
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_messages_benign
+    )
+  )
+  
+  // negate org domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $org_domains
+      and (
+        not headers.auth_summary.dmarc.pass
+        // MS quarantine digest emails from an org domain are router "internally" to MS, therefore, there is no authentication information
+        or not (
+          headers.auth_summary.dmarc.pass is null
+          and all(headers.domains,
+                  .root_domain in ("outlook.com", "office365.com")
+          )
+          // typical emails from freemail Outlook accounts are from prod.outlook.com
+          and strings.ends_with(headers.message_id, "protection.outlook.com>")
+        )
+      )
+    )
+    or sender.email.domain.root_domain not in $org_domains
+  )
+  
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+  and not (
+    profile.by_sender().any_messages_benign
+    and coalesce(headers.auth_summary.dmarc.pass, false)
+  )
+
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Computer Vision"
+  - "Natural Language Understanding"
+  - "Sender analysis"
+id: "2e22e1b3-a8d6-536b-8798-ec38ff1eac0a"
+og_id: "3ee9ef3d-8ec4-5df0-a8a2-5c6d037eb17a"
+testing_pr: 3733
+testing_sha: 59f9a78d98074cb02a734ac74ffef86b875cb1bd
