Brand Impersonation: ShareFile

This detection rule matches on the impersonation of the file sharing site ShareFile. Threat actors have been observed abusing this brand to deliver messages with links to crediential phishing pages.

Sublime rule (View on GitHub)

  1name: "Brand Impersonation: ShareFile"
  2description: "This detection rule matches on the impersonation of the file sharing site ShareFile.  Threat actors have been observed abusing this brand to deliver messages with links to crediential phishing pages. "
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and (
  8    0 < length(body.links) < 100
  9    or 0 < length(filter(attachments, .file_type in $file_types_images)) <= 5
 10  )
 11  and (
 12    strings.icontains(sender.display_name, 'ShareFile')
 13    or strings.icontains(subject.subject, 'ShareFile Attachments')
 14    or strings.ilevenshtein(sender.display_name, 'ShareFile') <= 2
 15    or strings.icontains(sender.email.domain.domain, 'sharefile')
 16    // message body
 17    or strings.icontains(body.current_thread.text, 'ShareFile Attachments')
 18    or strings.icontains(body.current_thread.text,
 19                         'Click here to change how often ShareFile sends emails'
 20    )
 21    or strings.icontains(body.current_thread.text,
 22                         'uses ShareFile to share documents securely'
 23    )
 24    or strings.icontains(body.current_thread.text,
 25                         'ShareFile is a tool for sending, receiving, and organizing your business files online'
 26    )
 27   or regex.icontains(body.current_thread.text,
 28                       'shared a (?:file|document)\s*(?:\w+\s+){0,3}\s*via sharefile'
 29  
 30    )
 31    or strings.icontains(body.current_thread.text, 'Powered By Citrix ShareFile')
 32    or regex.icontains(body.current_thread.text, '© 20\d\d ShareFile')
 33  
 34    // any of the attached images contain the same message body wording
 35    or (
 36      0 < length(attachments) <= 5
 37      and all(attachments, .file_type in $file_types_images)
 38      and any(attachments,
 39              any(file.explode(.),
 40                  strings.icontains(.scan.ocr.raw, 'ShareFile Attachments')
 41                  or strings.icontains(.scan.ocr.raw,
 42                                       'Click here to change how often ShareFile sends emails'
 43                  )
 44                  or strings.icontains(.scan.ocr.raw,
 45                                       'uses ShareFile to share documents securely'
 46                  )
 47                  or strings.icontains(.scan.ocr.raw,
 48                                       'ShareFile is a tool for sending, receiving, and organizing your business files online'
 49                  )
 50                  or strings.icontains(.scan.ocr.raw,
 51                                       'Powered By Citrix ShareFile'
 52                  )
 53                  or regex.icontains(body.current_thread.text,
 54                                     '© 20\d\d ShareFile'
 55                  )
 56              )
 57      )
 58    )
 59  )
 60  and not (
 61    sender.email.domain.root_domain in (
 62      'sf-notifications.com',
 63      'sharefile.com',
 64      'cloud.com' // cloud.com is the parent org of ShareFile
 65    )
 66    and headers.auth_summary.dmarc.pass
 67  )
 68  // ShareFile also allows you customers to send from customer domains/mail servers
 69  // https://docs.sharefile.com/en-us/sharefile/configure/admin-settings/advanced-preferences.html#smtp-server
 70  // when this happens, we cannot depend on the sender.email.domain.root_domain
 71  // there does appear to be a custom header value added though. 
 72  and not (
 73    any(headers.hops,
 74        .index == 0
 75        and any(.fields,
 76                (
 77                  .name =~ "X-SMTPAPI"
 78                  and strings.icontains(.value, 'sf_event_id')
 79                )
 80                or .name in~ ("x-sf-messageclass", "x-sf-uri")
 81        )
 82    )
 83  )
 84  // negate highly trusted sender domains unless they fail DMARC authentication
 85  and (
 86    (
 87      sender.email.domain.root_domain in $high_trust_sender_root_domains
 88      and not headers.auth_summary.dmarc.pass
 89    )
 90    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
 91  )  
 92attack_types:
 93  - "Credential Phishing"
 94tactics_and_techniques:
 95  - "Impersonation: Brand"
 96  - "Evasion"
 97  - "Lookalike domain"
 98detection_methods:
 99  - "Header analysis"
100  - "Content analysis"
101  - "Sender analysis"
102id: "f8330307-67fe-5b49-b850-bfdc17955aea"
to-top