Brand Impersonation: ShareFile

 1name: "Brand Impersonation: ShareFile"
 2description: "This detection rule matches on the impersonation of the file sharing site ShareFile.  Threat actors have been observed abusing this brand to deliver messages with links to crediential phishing pages. "
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    strings.icontains(sender.display_name, 'ShareFile')
 9    or strings.icontains(subject.subject, 'ShareFile')
10    or strings.ilevenshtein(sender.display_name, 'ShareFile') <= 2
11    or strings.icontains(sender.email.domain.domain, 'sharefile')
12    or strings.icontains(body.current_thread.text, 'Click here to change how often ShareFile sends emails')
13    or strings.icontains(body.current_thread.text, 'ShareFile is a tool for sending, receiving, and organizing your business files online')
14    or strings.icontains(body.current_thread.text, 'Powered By Citrix ShareFile')
15  )
16  and (length(body.links) > 0 or length(attachments) > 0)
17  and not (
18    sender.email.domain.root_domain in (
19      'sf-notifications.com', 'sharefile.com', 
20      'cloud.com' // cloud.com is the parent org of ShareFile
21    )
22    and headers.auth_summary.dmarc.pass
23  )
24  // negate highly trusted sender domains unless they fail DMARC authentication
25  and (
26    (
27      sender.email.domain.root_domain in $high_trust_sender_root_domains
28      and not headers.auth_summary.dmarc.pass
29    )
30    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
31  )  
32attack_types:
33  - "Credential Phishing"
34tactics_and_techniques:
35  - "Impersonation: Brand"
36  - "Evasion"
37  - "Lookalike domain"
38detection_methods:
39  - "Header analysis"
40  - "Content analysis"
41  - "Sender analysis"
42id: "f8330307-67fe-5b49-b850-bfdc17955aea"