1+ name : " Brand impersonation: Microsoft Teams"
2+ description : |
3+ Impersonation of a Microsoft Teams message.
4+ type : " rule"
5+ severity : " high"
6+ source : |
7+ type.inbound
8+ and (
9+ (
10+ 0 < length(filter(attachments,
11+ .file_type in $file_types_images or .file_type == "pdf"
12+ )
13+ ) < 10
14+ )
15+ or (
16+ length(filter(attachments,
17+ .file_extension == "ics" or .content_type == "text/calendar"
18+ )
19+ ) == 1
20+ )
21+ )
22+ and any(attachments,
23+ (
24+ (.file_type in $file_types_images or .file_type == "pdf")
25+ and any(file.explode(.),
26+ regex.icontains(.scan.ocr.raw,
27+ "trying to reach you.*microsoft teams",
28+ "microsoft teams.*meeting (recording|event)"
29+ )
30+ )
31+ )
32+ or (
33+ (.file_extension == "ics" or .content_type == "text/calendar")
34+ and any(file.explode(.),
35+ regex.icontains(.scan.strings.raw,
36+ "trying to reach you.*microsoft teams",
37+ "microsoft teams.*meeting (recording|event)"
38+ )
39+ )
40+ )
41+ )
42+ and (
43+ sender.email.domain.root_domain not in (
44+ "microsoft.com",
45+ "microsoftsupport.com",
46+ "office.com"
47+ )
48+ or not sender.email.domain.valid
49+ )
50+ attack_types :
51+ - " Credential Phishing"
52+ tactics_and_techniques :
53+ - " Impersonation: Brand"
54+ - " Social engineering"
55+ detection_methods :
56+ - " Content analysis"
57+ - " File analysis"
58+ - " Optical Character Recognition"
59+ - " Sender analysis"
60+ id : " 3edd5da2-624b-5b03-9208-871f21790c47"
61+ og_id : " 9cd53055-8e1a-5a45-b78f-34a62f0793dd"
62+ testing_pr : 3483
63+ testing_sha : 1b701f2cb215d34fce1036c192696359a0a91c6a
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments