[PR #3476] added rule: Attachment: PDF With Microsoft Purview Message Impersonation

Author: github-actions[bot]

detection-rules/3476_attachment_pdf_microsoft_purview_impersonation.yml

@@ -0,0 +1,27 @@
+name: "Attachment: PDF With Microsoft Purview Message Impersonation"
+description: "Detects PDF attachments containing text that impersonates Microsoft Purview secure message notifications, potentially used to trick users into believing they have received legitimate secure communications from Microsoft services."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(filter(attachments, .file_extension == 'pdf'),
+          any(ml.nlu_classifier(beta.ocr(.).text).topics,
+              .name == 'Secure Message' and .confidence == 'high'
+          )
+          and strings.icontains(beta.ocr(.).text, "Microsoft Purview Message")
+  )
+
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "PDF"
+  - "Social engineering"
+detection_methods:
+  - "File analysis"
+  - "Natural Language Understanding"
+  - "Content analysis"
+id: "eaeb0d92-fbdf-5fff-be94-05f42fa6d75b"
+og_id: "571d4964-dc44-56eb-bff4-11068b1cd119"
+testing_pr: 3476
+testing_sha: 4821c33fc942de17f47854cbd883d98002d1401b