
Summary
This detection rule is designed to identify potential brand impersonation attacks focused on Microsoft Planner, a popular tool within the Microsoft 365 suite. Such attacks often involve phishing tactics where attackers impersonate trusted services to trick users into clicking on malicious links or sharing sensitive information. This rule specifically filters inbound emails that contain suspicious links, targeting a variety of characteristics typical for phishing attempts, such as links from non-reputable domains, the presence of certain mass mailing services, and misleading or malicious content in the email body. It also checks images attached to the email for specific attributes, ensuring they are consistent with legitimate images associated with Microsoft Planner. Key exclusion filters prevent false positives from known and trusted Microsoft domains or marketing jargon. Techniques involved in detection include content analysis, URL analysis, and natural language processing to assess the intent of the email body. The rule categorizes the threat as medium severity, focusing particularly on credential phishing scenarios and leveraging both sender and content attributes to assess risk.
Categories
- Cloud
- Web
- Application
- Identity Management
Data Sources
- User Account
- Network Traffic
- Application Log
- File
- Web Credential
Created: 2024-08-27