Brand Impersonation: ShareFile
This detection rule matches on the impersonation of the file sharing site ShareFile. Threat actors have been observed abusing this brand to deliver messages with links to crediential phishing pages.
Sublime rule (View on GitHub)
1name: "Brand Impersonation: ShareFile"
2description: "This detection rule matches on the impersonation of the file sharing site ShareFile. Threat actors have been observed abusing this brand to deliver messages with links to crediential phishing pages. "
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 0 < length(body.links) < 100
9 or 0 < length(filter(attachments, .file_type in $file_types_images)) <= 5
10 or length(filter(attachments, .file_type == "pdf")) == 1
11 )
12 and (
13 strings.icontains(sender.display_name, 'ShareFile')
14 or strings.icontains(subject.subject, 'ShareFile Attachments')
15 or strings.ilevenshtein(sender.display_name, 'ShareFile') <= 2
16 or strings.icontains(sender.email.domain.domain, 'sharefile')
17 // message body
18 or strings.icontains(body.current_thread.text, 'ShareFile Attachments')
19 or strings.icontains(body.current_thread.text,
20 'Click here to change how often ShareFile sends emails'
21 )
22 or strings.icontains(body.current_thread.text,
23 'uses ShareFile to share documents securely'
24 )
25 or strings.icontains(body.current_thread.text,
26 'ShareFile is a tool for sending, receiving, and organizing your business files online'
27 )
28 or regex.icontains(body.current_thread.text,
29 'shared a (?:file|document)\s*(?:\w+\s+){0,3}\s*via sharefile'
30
31 )
32 or strings.icontains(body.current_thread.text, 'Powered By Citrix ShareFile')
33 or regex.icontains(body.current_thread.text, '© 20\d\d ShareFile')
34
35 // any of the attached images contain the same message body wording
36 or (
37 0 < length(attachments) <= 5
38 and (
39 all(attachments, .file_type in $file_types_images)
40 or (
41 length(filter(attachments, .file_type == "pdf")) == 1
42 )
43 )
44 and any(attachments,
45 any(file.explode(.),
46 strings.icontains(.scan.ocr.raw, 'ShareFile Attachments')
47 or strings.icontains(.scan.ocr.raw,
48 'Click here to change how often ShareFile sends emails'
49 )
50 or strings.icontains(.scan.ocr.raw,
51 'uses ShareFile to share documents securely'
52 )
53 or strings.icontains(.scan.ocr.raw,
54 'ShareFile is a tool for sending, receiving, and organizing your business files online'
55 )
56 or strings.icontains(.scan.ocr.raw,
57 'Powered By Citrix ShareFile'
58 )
59 or regex.icontains(body.current_thread.text,
60 '© 20\d\d ShareFile'
61 )
62 )
63 )
64 )
65 )
66 and not (
67 sender.email.domain.root_domain in (
68 'sf-notifications.com',
69 'sharefile.com',
70 'cloud.com' // cloud.com is the parent org of ShareFile
71 )
72 and headers.auth_summary.dmarc.pass
73 )
74 // ShareFile also allows you customers to send from customer domains/mail servers
75 // https://docs.sharefile.com/en-us/sharefile/configure/admin-settings/advanced-preferences.html#smtp-server
76 // when this happens, we cannot depend on the sender.email.domain.root_domain
77 // there does appear to be a custom header value added though.
78 and not (
79 any(headers.hops,
80 .index == 0
81 and any(.fields,
82 (
83 .name =~ "X-SMTPAPI"
84 and strings.icontains(.value, 'sf_event_id')
85 )
86 or .name in~ ("x-sf-messageclass", "x-sf-uri")
87 )
88 )
89 )
90 // negate highly trusted sender domains unless they fail DMARC authentication
91 and (
92 (
93 sender.email.domain.root_domain in $high_trust_sender_root_domains
94 and not headers.auth_summary.dmarc.pass
95 )
96 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
97 )
98attack_types:
99 - "Credential Phishing"
100tactics_and_techniques:
101 - "Impersonation: Brand"
102 - "Evasion"
103 - "Lookalike domain"
104detection_methods:
105 - "Header analysis"
106 - "Content analysis"
107 - "Sender analysis"
108id: "f8330307-67fe-5b49-b850-bfdc17955aea"