Brand Impersonation: ShareFile
This detection rule matches on the impersonation of the file sharing site ShareFile. Threat actors have been observed abusing this brand to deliver messages with links to crediential phishing pages.
Sublime rule (View on GitHub)
1name: "Brand Impersonation: ShareFile"
2description: "This detection rule matches on the impersonation of the file sharing site ShareFile. Threat actors have been observed abusing this brand to deliver messages with links to crediential phishing pages. "
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 0 < length(body.links) < 100
9 or 0 < length(filter(attachments, .file_type in $file_types_images)) <= 5
10 or length(filter(attachments, .file_type == "pdf")) == 1
11 )
12 and (
13 strings.icontains(sender.display_name, 'ShareFile')
14 or strings.icontains(subject.subject, 'ShareFile Attachments')
15 or strings.ilevenshtein(sender.display_name, 'ShareFile') <= 2
16 or strings.icontains(sender.email.domain.domain, 'sharefile')
17 // message body
18 or strings.icontains(body.current_thread.text, 'ShareFile Attachments')
19 or strings.icontains(body.current_thread.text,
20 'Click here to change how often ShareFile sends emails'
21 )
22 or strings.icontains(body.current_thread.text,
23 'uses ShareFile to share documents securely'
24 )
25 or strings.icontains(body.current_thread.text,
26 'ShareFile is a tool for sending, receiving, and organizing your business files online'
27 )
28 or regex.icontains(body.current_thread.text,
29 'shared a (?:file|document)\s*(?:\w+\s+){0,3}\s*via sharefile'
30
31 )
32 or strings.icontains(body.current_thread.text, 'Powered By Citrix ShareFile')
33 or regex.icontains(body.current_thread.text, '© 20\d\d ShareFile')
34
35 // any of the attached images contain the same message body wording
36 or (
37 0 < length(attachments) <= 5
38 and (
39 all(attachments, .file_type in $file_types_images)
40 or (
41 length(filter(attachments, .file_type == "pdf")) == 1
42 )
43 )
44 and any(attachments,
45 any(file.explode(.),
46 strings.icontains(.scan.ocr.raw, 'ShareFile Attachments')
47 or strings.icontains(.scan.ocr.raw,
48 'Click here to change how often ShareFile sends emails'
49 )
50 or strings.icontains(.scan.ocr.raw,
51 'uses ShareFile to share documents securely'
52 )
53 or strings.icontains(.scan.ocr.raw,
54 'ShareFile is a tool for sending, receiving, and organizing your business files online'
55 )
56 or strings.icontains(.scan.ocr.raw,
57 'Powered By Citrix ShareFile'
58 )
59 or regex.icontains(body.current_thread.text,
60 '© 20\d\d ShareFile'
61 )
62 )
63 )
64 )
65 )
66 and not (
67 sender.email.domain.root_domain in (
68 'sf-notifications.com',
69 'sharefile.com',
70 'cloud.com', // previous parent org of ShareFile
71 'progress.com' // progress.com is the parent org of ShareFile
72 )
73 and headers.auth_summary.dmarc.pass
74 )
75 // ShareFile also allows you customers to send from customer domains/mail servers
76 // https://docs.sharefile.com/en-us/sharefile/configure/admin-settings/advanced-preferences.html#smtp-server
77 // when this happens, we cannot depend on the sender.email.domain.root_domain
78 // there does appear to be a custom header value added though.
79 and not (
80 any(headers.hops,
81 .index == 0
82 and any(.fields,
83 (
84 .name =~ "X-SMTPAPI"
85 and strings.icontains(.value, 'sf_event_id')
86 )
87 or .name in~ ("x-sf-messageclass", "x-sf-uri")
88 )
89 )
90 )
91 // negate highly trusted sender domains unless they fail DMARC authentication
92 and (
93 (
94 sender.email.domain.root_domain in $high_trust_sender_root_domains
95 and not headers.auth_summary.dmarc.pass
96 )
97 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
98 )
99attack_types:
100 - "Credential Phishing"
101tactics_and_techniques:
102 - "Impersonation: Brand"
103 - "Evasion"
104 - "Lookalike domain"
105detection_methods:
106 - "Header analysis"
107 - "Content analysis"
108 - "Sender analysis"
109id: "f8330307-67fe-5b49-b850-bfdc17955aea"