
Summary
This detection rule is designed to identify potential phishing attempts targeting Microsoft 365 credentials through email attachments. It focuses on messages that contain image attachments and specific keywords associated with Microsoft products and password prompting. The rule checks if the attachment is of an image file type, applies machine learning algorithms to detect any branding related to Microsoft, and performs text analysis through Optical Character Recognition (OCR) to find suspicious phrases that often appear in phishing emails. Furthermore, it negates messages that are replies or are from trusted domains that pass authentication checks. The objective is to flag any communications that appear to attempt to misuse Microsoft branding to elicit sensitive information, such as passwords, from the recipient.
Categories
- Web
- Cloud
- Endpoint
Data Sources
- Image
- User Account
- Network Traffic
- Application Log
Created: 2022-05-05