Brand impersonation: Sharepoint

Body, attached images or pdf contains a Sharepoint logo. The message contains a link and credential theft language.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Sharepoint"
  2description: |
  3    Body, attached images or pdf contains a Sharepoint logo. The message contains a link and credential theft language.
  4type: "rule"
  5severity: "high"
  6source: |
  7  type.inbound
  8  and length(body.links) > 0
  9  and (
 10    any(attachments,
 11        (.file_type in $file_types_images or .file_type == "pdf")
 12        and any(ml.logo_detect(.).brands, .name == "Microsoft SharePoint")
 13    )
 14    or any(ml.logo_detect(beta.message_screenshot()).brands,
 15           .name == "Microsoft SharePoint"
 16    )
 17    or strings.istarts_with(strings.replace_confusables(body.current_thread.text),
 18                            "Sharepoint"
 19    )
 20    or regex.icontains(body.html.raw,
 21                       '<img.*(title=|alt=).share.*src=""'
 22    ) // broken Sharepoint logo
 23  )
 24  and (
 25    (
 26      any(ml.nlu_classifier(body.current_thread.text).intents,
 27          .name == "cred_theft" and .confidence == "high"
 28      )
 29      or any(file.explode(beta.message_screenshot()),
 30             any(ml.nlu_classifier(.scan.ocr.raw).intents,
 31                 .name == "cred_theft" and .confidence == "high"
 32             )
 33      )
 34    )
 35    or any(ml.nlu_classifier(body.current_thread.text).entities,
 36           .name == "urgency" and strings.ilike(.text, "*encrypted*")
 37    )
 38  )
 39  and not (
 40    (
 41      (
 42        strings.istarts_with(subject.subject, "RE:")
 43        or strings.istarts_with(subject.subject, "R:")
 44        or strings.istarts_with(subject.subject, "ODG:")
 45        or strings.istarts_with(subject.subject, "答复:")
 46        or strings.istarts_with(subject.subject, "AW:")
 47        or strings.istarts_with(subject.subject, "TR:")
 48        or strings.istarts_with(subject.subject, "FWD:")
 49        or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
 50        or regex.imatch(subject.subject,
 51                        '^\[?(EXT|EXTERNAL)\]?[: ]\s*(RE|FWD?|FW|AW|TR|ODG|答复):.*'
 52        )
 53      )
 54      and (
 55        (length(headers.references) > 0 or headers.in_reply_to is not null)
 56        // ensure that there are actual threads
 57        and (
 58          length(body.previous_threads) > 0
 59          or (length(body.html.display_text) - length(body.current_thread.text)) > 200
 60        )
 61      )
 62    )
 63  )
 64  and (
 65    profile.by_sender_email().prevalence != 'common'
 66    or not profile.by_sender_email().solicited
 67    or profile.by_sender().any_messages_malicious_or_spam
 68  )
 69  and not profile.by_sender().any_messages_benign
 70  
 71  // negate highly trusted sender domains unless they fail DMARC authentication
 72  and (
 73    (
 74      sender.email.domain.root_domain in $high_trust_sender_root_domains
 75      and not headers.auth_summary.dmarc.pass
 76    )
 77    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
 78  )
 79  
 80  // negate sharepoint file share
 81  and not (
 82    // based on the message id format
 83    (
 84      (
 85        strings.starts_with(headers.message_id, '<Share-')
 86        and strings.ends_with(headers.message_id, '@odspnotify>')
 87      )
 88      or // negate legitimate access request to file
 89   (
 90        strings.starts_with(headers.message_id, '<Sharing')
 91        and strings.ends_with(headers.message_id, '@odspnotify>')
 92      )
 93      // deal with Google thinking the message ID is "broke"
 94      or (
 95        strings.icontains(headers.message_id, 'SMTPIN_ADDED_BROKEN')
 96        and any(headers.hops,
 97                any(.fields,
 98                    .name == "X-Google-Original-Message-ID"
 99                    and strings.starts_with(.value, '<Share-')
100                    and strings.ends_with(.value, '@odspnotify>')
101                )
102        )
103      )
104    )
105    // all of the "action" links are sharepoint/ms
106    and all(filter(body.links,
107                   strings.icontains(subject.subject, .display_text)
108                   or .display_text == "Open"
109            ),
110            .href_url.domain.root_domain in ("sharepoint.com")
111            or (
112              .href_url.domain.tld == "ms"
113              // Microsoft does not own the .ms TLD, this checks to ensure it is one of their domains
114              and (
115                network.whois(.href_url.domain).registrant_company == "Microsoft Corporation"
116                or strings.ilike(network.whois(.href_url.domain).registrar_name,
117                                 "*MarkMonitor*",
118                                 "*CSC Corporate*",
119                                 "*com laude*"
120                )
121              )
122            )
123    )
124  )  
125
126attack_types:
127  - "Credential Phishing"
128tactics_and_techniques:
129  - "Impersonation: Brand"
130  - "Social engineering"
131detection_methods:
132  - "Computer Vision"
133  - "Content analysis"
134  - "File analysis"
135  - "Natural Language Understanding"
136  - "Sender analysis"
137id: "284b1b70-8daa-5adf-9df8-15d4c6b5ead9"
to-top