Brand impersonation: Sharepoint

calendar Oct 17, 2025  ·
Share on: linkedin copy

Body, attached images or pdf contains a Sharepoint logo. The message contains a link and credential theft language.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Sharepoint"
  2description: |
  3    Body, attached images or pdf contains a Sharepoint logo. The message contains a link and credential theft language.
  4type: "rule"
  5severity: "high"
  6source: |
  7  type.inbound
  8  and length(body.links) > 0
  9  and (
 10    any(attachments,
 11        (.file_type in $file_types_images or .file_type == "pdf")
 12        and any(ml.logo_detect(.).brands, .name == "Microsoft SharePoint")
 13    )
 14    or any(ml.logo_detect(file.message_screenshot()).brands,
 15           .name == "Microsoft SharePoint"
 16    )
 17    or strings.istarts_with(strings.replace_confusables(body.current_thread.text),
 18                            "Sharepoint"
 19    )
 20    or regex.icontains(body.html.raw,
 21                       '<img.*(title=|alt=).share.*src=""'
 22    ) // broken Sharepoint logo
 23  )
 24  and (
 25    (
 26      any(ml.nlu_classifier(body.current_thread.text).intents,
 27          .name == "cred_theft" and .confidence == "high"
 28      )
 29      //
 30      // This rule makes use of a beta feature and is subject to change without notice
 31      // using the beta feature in custom rules is not suggested until it has been formally released
 32      //
 33      or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
 34             .name == "cred_theft" and .confidence == "high"
 35      )
 36    )
 37    or any(ml.nlu_classifier(body.current_thread.text).entities,
 38           .name == "urgency" and strings.ilike(.text, "*encrypted*")
 39    )
 40  )
 41  and not (
 42    (
 43      (
 44        strings.istarts_with(subject.subject, "RE:")
 45        or strings.istarts_with(subject.subject, "R:")
 46        or strings.istarts_with(subject.subject, "ODG:")
 47        or strings.istarts_with(subject.subject, "答复:")
 48        or strings.istarts_with(subject.subject, "AW:")
 49        or strings.istarts_with(subject.subject, "TR:")
 50        or strings.istarts_with(subject.subject, "FWD:")
 51        or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
 52        or regex.imatch(subject.subject,
 53                        '^\[?(EXT|EXTERNAL)\]?[: ]\s*(RE|FWD?|FW|AW|TR|ODG|答复):.*'
 54        )
 55      )
 56      and (
 57        (length(headers.references) > 0 or headers.in_reply_to is not null)
 58        // ensure that there are actual threads
 59        and (
 60          length(body.previous_threads) > 0
 61          or (length(body.html.display_text) - length(body.current_thread.text)) > 200
 62        )
 63      )
 64    )
 65  )
 66  and (
 67    profile.by_sender_email().prevalence != 'common'
 68    or not profile.by_sender_email().solicited
 69    or profile.by_sender().any_messages_malicious_or_spam
 70  )
 71  and not profile.by_sender().any_messages_benign
 72  
 73  // negate highly trusted sender domains unless they fail DMARC authentication
 74  and (
 75    (
 76      sender.email.domain.root_domain in $high_trust_sender_root_domains
 77      and not headers.auth_summary.dmarc.pass
 78    )
 79    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
 80  )
 81  
 82  // negate sharepoint file share
 83  and not (
 84    // based on the message id format
 85    (
 86      (
 87        strings.starts_with(headers.message_id, '<Share-')
 88        and strings.ends_with(headers.message_id, '@odspnotify>')
 89      )
 90      or // negate legitimate access request to file
 91   (
 92        strings.starts_with(headers.message_id, '<Sharing')
 93        and strings.ends_with(headers.message_id, '@odspnotify>')
 94      )
 95      // deal with Google thinking the message ID is "broke"
 96      or (
 97        strings.icontains(headers.message_id, 'SMTPIN_ADDED_BROKEN')
 98        and any(headers.hops,
 99                any(.fields,
100                    .name == "X-Google-Original-Message-ID"
101                    and strings.starts_with(.value, '<Share-')
102                    and strings.ends_with(.value, '@odspnotify>')
103                )
104        )
105      )
106    )
107    // all of the "action" links are sharepoint/ms
108    and all(filter(body.links,
109                   strings.icontains(subject.subject, .display_text)
110                   or .display_text == "Open"
111            ),
112            .href_url.domain.root_domain in ("sharepoint.com")
113            or (
114              .href_url.domain.tld == "ms"
115              // Microsoft does not own the .ms TLD, this checks to ensure it is one of their domains
116              and (
117                network.whois(.href_url.domain).registrant_company == "Microsoft Corporation"
118                or strings.ilike(network.whois(.href_url.domain).registrar_name,
119                                 "*MarkMonitor*",
120                                 "*CSC Corporate*",
121                                 "*com laude*"
122                )
123              )
124            )
125    )
126  )  
127attack_types:
128  - "Credential Phishing"
129tactics_and_techniques:
130  - "Impersonation: Brand"
131  - "Social engineering"
132detection_methods:
133  - "Computer Vision"
134  - "Content analysis"
135  - "File analysis"
136  - "Natural Language Understanding"
137  - "Sender analysis"
138id: "284b1b70-8daa-5adf-9df8-15d4c6b5ead9"
to-top