Brand impersonation: File sharing notification with template artifacts

calendar Jan 23, 2026  ·
Share on: linkedin copy

Detects messages impersonating file sharing services that contain template artifacts such as placeholder comments, incomplete HTML elements, and development remnants. The message includes 'shared with you' language and exhibits multiple indicators of being generated from a malicious template including HTML comments with development terms, broken anchor tags, and filename elements that closely match the subject line.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: File sharing notification with template artifacts"
 2description: "Detects messages impersonating file sharing services that contain template artifacts such as placeholder comments, incomplete HTML elements, and development remnants. The message includes 'shared with you' language and exhibits multiple indicators of being generated from a malicious template including HTML comments with development terms, broken anchor tags, and filename elements that closely match the subject line."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and strings.icontains(body.current_thread.text, 'shared with you')
 8  // we detect a file sharing logo with high confidence
 9  and any(ml.logo_detect(file.message_screenshot()).brands,
10          .name in ('Microsoft', 'Dropbox', 'Google') and .confidence == "high"
11  )
12  and 2 of (
13    // the subject is very similar to the name of the file-name html class
14    any(html.xpath(body.html, '//span[@class="file-name"]').nodes,
15        strings.ilevenshtein(.display_text, subject.subject) < 15
16    ),
17    // we detect a href to a # implying a neglected placeholder
18    any(html.xpath(body.html, '//a[@href="#"]').nodes, .raw is not null),
19    // we detect "ai-esque" comments
20    any(html.xpath(body.html, '//comment()').nodes,
21        regex.icontains(.raw, '(optional|section|placeholder|todo|fixme)')
22    ),
23    // recipients local part is in the body of the message
24    any(recipients.to,
25        strings.icontains(body.current_thread.text, .email.local_part)
26    ),
27    strings.icontains(body.html.raw, 'if the button does not work')
28  )
29  // and cred theft/bec high confidence
30  and any(ml.nlu_classifier(body.current_thread.text).intents,
31          .name in ("cred_theft", "bec") and .confidence == "high"
32  )
33  // not sent from legitimate Microsoft emails as long as auth passes
34  and not (
35    sender.email.email in (
36      'no-reply@outlook.mail.microsoft',
37      'azuredevops@microsoft.com'
38    )
39    and headers.auth_summary.dmarc.pass
40  )  
41attack_types:
42  - "Credential Phishing"
43tactics_and_techniques:
44  - "Impersonation: Brand"
45  - "Social engineering"
46  - "Evasion"
47detection_methods:
48  - "HTML analysis"
49  - "Computer Vision"
50  - "Content analysis"
51  - "Header analysis"
52id: "37d89611-e8ab-50c5-af7a-c9d5a0a785fd"
to-top