[PR #3476] added rule: Attachment: PDF with Microsoft Purview message impersonation

Author: github-actions[bot]

detection-rules/3476_attachment_pdf_microsoft_purview_impersonation.yml

@@ -0,0 +1,34 @@
+name: "Attachment: PDF with Microsoft Purview message impersonation"
+description: "Detects PDF attachments containing text that impersonates Microsoft Purview secure message notifications, potentially used to trick users into believing they have received legitimate secure communications from Microsoft services."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(filter(attachments, .file_extension == 'pdf'),
+          any(ml.nlu_classifier(beta.ocr(.).text).topics,
+              .name == 'Secure Message' and .confidence == 'high'
+          )
+          and strings.icontains(beta.ocr(.).text, "Microsoft Purview Message")
+  )
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "PDF"
+  - "Social engineering"
+detection_methods:
+  - "File analysis"
+  - "Natural Language Understanding"
+  - "Content analysis"
+id: "eaeb0d92-fbdf-5fff-be94-05f42fa6d75b"
+og_id: "571d4964-dc44-56eb-bff4-11068b1cd119"
+testing_pr: 3476
+testing_sha: 0bcf1d08b35ffdb4b8da84c9ad217510604dbb2a