Brand Impersonation: ShareFile
This detection rule matches on the impersonation of the file sharing site ShareFile. Threat actors have been observed abusing this brand to deliver messages with links to crediential phishing pages.
Sublime rule (View on GitHub)
1name: "Brand Impersonation: ShareFile"
2description: "This detection rule matches on the impersonation of the file sharing site ShareFile. Threat actors have been observed abusing this brand to deliver messages with links to crediential phishing pages. "
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 0 < length(body.links) < 100
9 or 0 < length(filter(attachments, .file_type in $file_types_images)) <= 5
10 or length(filter(attachments, .file_type == "pdf")) == 1
11 )
12 and (
13 strings.icontains(sender.display_name, 'ShareFile')
14 or strings.icontains(subject.subject, 'ShareFile Attachments')
15 or strings.ilevenshtein(sender.display_name, 'ShareFile') <= 2
16 or strings.icontains(sender.email.domain.domain, 'sharefile')
17 // message body
18 or strings.icontains(body.current_thread.text, 'ShareFile Attachments')
19 or strings.icontains(body.current_thread.text,
20 'Click here to change how often ShareFile sends emails'
21 )
22 or strings.icontains(body.current_thread.text,
23 'uses ShareFile to share documents securely'
24 )
25 or strings.icontains(body.current_thread.text,
26 'ShareFile is a tool for sending, receiving, and organizing your business files online'
27 )
28 or regex.icontains(body.current_thread.text,
29 'shared a (?:file|document)\s*(?:\w+\s+){0,3}\s*via sharefile'
30 )
31 or strings.icontains(body.current_thread.text, 'Powered By Citrix ShareFile')
32 or regex.icontains(body.current_thread.text, '© 20\d\d ShareFile')
33
34 // any of the attached images contain the same message body wording
35 or (
36 0 < length(attachments) <= 5
37 and (
38 all(attachments, .file_type in $file_types_images)
39 or (length(filter(attachments, .file_type == "pdf")) == 1)
40 )
41 and any(attachments,
42 any(file.explode(.),
43 strings.icontains(.scan.ocr.raw, 'ShareFile Attachments')
44 or strings.icontains(.scan.ocr.raw,
45 'Click here to change how often ShareFile sends emails'
46 )
47 or strings.icontains(.scan.ocr.raw,
48 'uses ShareFile to share documents securely'
49 )
50 or strings.icontains(.scan.ocr.raw,
51 'ShareFile is a tool for sending, receiving, and organizing your business files online'
52 )
53 or strings.icontains(.scan.ocr.raw,
54 'Powered By Citrix ShareFile'
55 )
56 or regex.icontains(body.current_thread.text,
57 '© 20\d\d ShareFile'
58 )
59 )
60 )
61 )
62 )
63 and not (
64 sender.email.domain.root_domain in (
65 'sf-notifications.com',
66 'sharefile.com',
67 'cloud.com', // previous parent org of ShareFile
68 'progress.com' // progress.com is the parent org of ShareFile
69 )
70 and headers.auth_summary.dmarc.pass
71 )
72 // ShareFile also allows you customers to send from customer domains/mail servers
73 // https://docs.sharefile.com/en-us/sharefile/configure/admin-settings/advanced-preferences.html#smtp-server
74 // when this happens, we cannot depend on the sender.email.domain.root_domain
75 // there does appear to be a custom header value added though.
76 and not (
77 any(headers.hops,
78 .index == 0
79 and any(.fields,
80 (
81 .name =~ "X-SMTPAPI"
82 and strings.icontains(.value, 'sf_event_id')
83 )
84 or .name in~ ("x-sf-messageclass", "x-sf-uri")
85 )
86 )
87 )
88 // negate highly trusted sender domains unless they fail DMARC authentication
89 and (
90 (
91 sender.email.domain.root_domain in $high_trust_sender_root_domains
92 and not headers.auth_summary.dmarc.pass
93 )
94 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
95 )
96attack_types:
97 - "Credential Phishing"
98tactics_and_techniques:
99 - "Impersonation: Brand"
100 - "Evasion"
101 - "Lookalike domain"
102detection_methods:
103 - "Header analysis"
104 - "Content analysis"
105 - "Sender analysis"
106id: "f8330307-67fe-5b49-b850-bfdc17955aea"