From 8e967830012fe776a5ae8bc7d8fe7a5ee44b05f7 Mon Sep 17 00:00:00 2001 From: Daniel Bolton Date: Tue, 4 Nov 2025 15:14:40 -0600 Subject: [PATCH 1/7] new rule --- ...nt_pdf_microsoft_purview_impersonation.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 detection-rules/attachment_pdf_microsoft_purview_impersonation.yml diff --git a/detection-rules/attachment_pdf_microsoft_purview_impersonation.yml b/detection-rules/attachment_pdf_microsoft_purview_impersonation.yml new file mode 100644 index 00000000000..c108702a63d --- /dev/null +++ b/detection-rules/attachment_pdf_microsoft_purview_impersonation.yml @@ -0,0 +1,26 @@ +name: "Attachment: PDF With Microsoft Purview Message Impersonation" +description: "Detects PDF attachments containing text that impersonates Microsoft Purview secure message notifications, potentially used to trick users into believing they have received legitimate secure communications from Microsoft services." +type: "rule" +severity: "medium" +source: | + type.inbound + and any(filter(attachments, .file_extension == 'pdf'), + any(filter(file.explode(.), .file_name == 'text'), + any(.scan.strings.strings, + any(ml.nlu_classifier(.).topics, .name == 'Secure Message') + and strings.icontains(., "Microsoft Purview Message") + ) + ) + ) + +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "PDF" + - "Social engineering" +detection_methods: + - "Archive analysis" + - "File analysis" + - "Natural Language Understanding" + - "Content analysis" From 8e93a98859235bb00ae477802a9d6d176a1cd2bd Mon Sep 17 00:00:00 2001 From: ID Generator Date: Tue, 4 Nov 2025 21:27:40 +0000 Subject: [PATCH 2/7] Auto add rule ID --- .../attachment_pdf_microsoft_purview_impersonation.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/attachment_pdf_microsoft_purview_impersonation.yml b/detection-rules/attachment_pdf_microsoft_purview_impersonation.yml index c108702a63d..85dde9529e0 100644 --- a/detection-rules/attachment_pdf_microsoft_purview_impersonation.yml +++ b/detection-rules/attachment_pdf_microsoft_purview_impersonation.yml @@ -24,3 +24,4 @@ detection_methods: - "File analysis" - "Natural Language Understanding" - "Content analysis" +id: "571d4964-dc44-56eb-bff4-11068b1cd119" From 4de7c4b72ad1191ce45fe4713af7ee57ce316310 Mon Sep 17 00:00:00 2001 From: Daniel Bolton Date: Wed, 5 Nov 2025 14:14:56 -0600 Subject: [PATCH 3/7] use beta.ocr instead of file.explode --- .../attachment_pdf_microsoft_purview_impersonation.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/detection-rules/attachment_pdf_microsoft_purview_impersonation.yml b/detection-rules/attachment_pdf_microsoft_purview_impersonation.yml index 85dde9529e0..3bfa9b72ab2 100644 --- a/detection-rules/attachment_pdf_microsoft_purview_impersonation.yml +++ b/detection-rules/attachment_pdf_microsoft_purview_impersonation.yml @@ -5,12 +5,10 @@ severity: "medium" source: | type.inbound and any(filter(attachments, .file_extension == 'pdf'), - any(filter(file.explode(.), .file_name == 'text'), - any(.scan.strings.strings, - any(ml.nlu_classifier(.).topics, .name == 'Secure Message') - and strings.icontains(., "Microsoft Purview Message") - ) + any(ml.nlu_classifier(beta.ocr(.).text).topics, + .name == 'Secure Message' and .confidence == 'high' ) + and strings.icontains(beta.ocr(.).text, "Microsoft Purview Message") ) attack_types: From 4821c33fc942de17f47854cbd883d98002d1401b Mon Sep 17 00:00:00 2001 From: Daniel Bolton Date: Wed, 5 Nov 2025 14:16:55 -0600 Subject: [PATCH 4/7] remove Archive analysis detection method --- .../attachment_pdf_microsoft_purview_impersonation.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/detection-rules/attachment_pdf_microsoft_purview_impersonation.yml b/detection-rules/attachment_pdf_microsoft_purview_impersonation.yml index 3bfa9b72ab2..c624fcef470 100644 --- a/detection-rules/attachment_pdf_microsoft_purview_impersonation.yml +++ b/detection-rules/attachment_pdf_microsoft_purview_impersonation.yml @@ -18,7 +18,6 @@ tactics_and_techniques: - "PDF" - "Social engineering" detection_methods: - - "Archive analysis" - "File analysis" - "Natural Language Understanding" - "Content analysis" From a2e312e618a15829c679b5d36cab8a3a5040260b Mon Sep 17 00:00:00 2001 From: Daniel Bolton <119350640+D-Bolton@users.noreply.github.com> Date: Mon, 10 Nov 2025 11:37:41 -0600 Subject: [PATCH 5/7] Update rule name Co-authored-by: Aiden Mitchell --- .../attachment_pdf_microsoft_purview_impersonation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/attachment_pdf_microsoft_purview_impersonation.yml b/detection-rules/attachment_pdf_microsoft_purview_impersonation.yml index c624fcef470..a67d05f9130 100644 --- a/detection-rules/attachment_pdf_microsoft_purview_impersonation.yml +++ b/detection-rules/attachment_pdf_microsoft_purview_impersonation.yml @@ -1,4 +1,4 @@ -name: "Attachment: PDF With Microsoft Purview Message Impersonation" +name: "Attachment: PDF with Microsoft Purview message impersonation" description: "Detects PDF attachments containing text that impersonates Microsoft Purview secure message notifications, potentially used to trick users into believing they have received legitimate secure communications from Microsoft services." type: "rule" severity: "medium" From 73db338bb4b8c024f9eb393f156a25e2c56ab7f7 Mon Sep 17 00:00:00 2001 From: Daniel Bolton <119350640+D-Bolton@users.noreply.github.com> Date: Mon, 10 Nov 2025 11:40:24 -0600 Subject: [PATCH 6/7] Add standard negation Co-authored-by: Aiden Mitchell --- .../attachment_pdf_microsoft_purview_impersonation.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/detection-rules/attachment_pdf_microsoft_purview_impersonation.yml b/detection-rules/attachment_pdf_microsoft_purview_impersonation.yml index a67d05f9130..a605d4dc26f 100644 --- a/detection-rules/attachment_pdf_microsoft_purview_impersonation.yml +++ b/detection-rules/attachment_pdf_microsoft_purview_impersonation.yml @@ -10,7 +10,14 @@ source: | ) and strings.icontains(beta.ocr(.).text, "Microsoft Purview Message") ) - + // negate highly trusted sender domains unless they fail DMARC authentication +and ( + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and not headers.auth_summary.dmarc.pass + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains +) attack_types: - "Credential Phishing" tactics_and_techniques: From 0bcf1d08b35ffdb4b8da84c9ad217510604dbb2a Mon Sep 17 00:00:00 2001 From: Daniel Bolton Date: Mon, 10 Nov 2025 12:09:24 -0600 Subject: [PATCH 7/7] indent code block --- ...achment_pdf_microsoft_purview_impersonation.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/detection-rules/attachment_pdf_microsoft_purview_impersonation.yml b/detection-rules/attachment_pdf_microsoft_purview_impersonation.yml index a605d4dc26f..1c34742f863 100644 --- a/detection-rules/attachment_pdf_microsoft_purview_impersonation.yml +++ b/detection-rules/attachment_pdf_microsoft_purview_impersonation.yml @@ -10,14 +10,14 @@ source: | ) and strings.icontains(beta.ocr(.).text, "Microsoft Purview Message") ) - // negate highly trusted sender domains unless they fail DMARC authentication -and ( - ( - sender.email.domain.root_domain in $high_trust_sender_root_domains - and not headers.auth_summary.dmarc.pass + // negate highly trusted sender domains unless they fail DMARC authentication + and ( + ( + sender.email.domain.root_domain in $high_trust_sender_root_domains + and not headers.auth_summary.dmarc.pass + ) + or sender.email.domain.root_domain not in $high_trust_sender_root_domains ) - or sender.email.domain.root_domain not in $high_trust_sender_root_domains -) attack_types: - "Credential Phishing" tactics_and_techniques: