sublime-security · D-Bolton · Nov 10, 2025 · Nov 4, 2025 · Nov 4, 2025 · Nov 5, 2025
@@ -0,0 +1,31 @@
+name: "Attachment: PDF with Microsoft Purview message impersonation"
+description: "Detects PDF attachments containing text that impersonates Microsoft Purview secure message notifications, potentially used to trick users into believing they have received legitimate secure communications from Microsoft services."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(filter(attachments, .file_extension == 'pdf'),
+          any(ml.nlu_classifier(beta.ocr(.).text).topics,
+              .name == 'Secure Message' and .confidence == 'high'
+          )
+          and strings.icontains(beta.ocr(.).text, "Microsoft Purview Message")
+  )
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "PDF"
+  - "Social engineering"
+detection_methods:
+  - "File analysis"
+  - "Natural Language Understanding"
+  - "Content analysis"
+id: "571d4964-dc44-56eb-bff4-11068b1cd119"