Attachment: EML with SharePoint files shared from GoDaddy federated tenants

calendar Sep 23, 2025  ·
Share on: linkedin copy

Detects EML attachments containing SharePoint links with 'netorg' subdomain patterns, which may indicate suspicious redirection tactics or domain abuse.

Sublime rule (View on GitHub)

 1name: "Attachment: EML with SharePoint files shared from GoDaddy federated tenants"
 2description: "Detects EML attachments containing SharePoint links with 'netorg' subdomain patterns, which may indicate suspicious redirection tactics or domain abuse."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and length(filter(attachments,
 8                    .file_extension == "eml" or .content_type == "message/rfc822"
 9             )
10  ) == 1
11  and any(attachments,
12          any(file.parse_eml(.).body.links,
13              strings.starts_with(.href_url.domain.subdomain, 'netorg')
14              and .href_url.domain.root_domain == "sharepoint.com"
15          )
16  )  
17attack_types:
18  - "Credential Phishing"
19tactics_and_techniques:
20  - "Evasion"
21  - "Impersonation: Brand"
22  - "Social engineering"
23detection_methods:
24  - "File analysis"
25  - "URL analysis"
26  - "Content analysis"
27id: "02c1f590-40f0-5db3-a8de-26bc1c1d9fc0"
to-top