Brand impersonation: Sharepoint
Body, attached images or pdf contains a Sharepoint logo. The message contains a link and credential theft language.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Sharepoint"
2description: |
3 Body, attached images or pdf contains a Sharepoint logo. The message contains a link and credential theft language.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and length(body.links) > 0
9 and (
10 any(attachments,
11 (.file_type in $file_types_images or .file_type == "pdf")
12 and any(ml.logo_detect(.).brands, .name == "Microsoft SharePoint")
13 )
14 or any(ml.logo_detect(beta.message_screenshot()).brands,
15 .name == "Microsoft SharePoint"
16 )
17 or strings.istarts_with(strings.replace_confusables(body.current_thread.text), "Sharepoint")
18 or regex.icontains(body.html.raw, '<img.*(title=|alt=).share.*src=""') // broken Sharepoint logo
19 )
20 and (
21 (
22 any(ml.nlu_classifier(body.current_thread.text).intents,
23 .name == "cred_theft" and .confidence == "high"
24 )
25 or any(file.explode(beta.message_screenshot()),
26 any(ml.nlu_classifier(.scan.ocr.raw).intents,
27 .name == "cred_theft" and .confidence == "high"
28 )
29 )
30 )
31 or any(ml.nlu_classifier(body.current_thread.text).entities,
32 .name == "urgency" and strings.ilike(.text, "*encrypted*")
33 )
34 )
35
36 and (
37 not (
38 (
39 strings.istarts_with(subject.subject, "RE:")
40 or strings.istarts_with(subject.subject, "R:")
41 or strings.istarts_with(subject.subject, "ODG:")
42 or strings.istarts_with(subject.subject, "答复:")
43 or strings.istarts_with(subject.subject, "AW:")
44 or strings.istarts_with(subject.subject, "TR:")
45 or strings.istarts_with(subject.subject, "FWD:")
46 or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
47 or regex.imatch(subject.subject,
48 '^\[?(EXT|EXTERNAL)\]?[: ]\s*(RE|FWD?|FW|AW|TR|ODG|答复):.*'
49 )
50 )
51 and (
52 (
53 length(headers.references) > 0
54 or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
55 )
56 // ensure that there are actual threads
57 and (length(body.html.display_text) - length(body.current_thread.text)) > 200
58 )
59 )
60 or length(body.current_thread.text) == 0
61 )
62
63 and (
64 profile.by_sender_email().prevalence != 'common'
65 or not profile.by_sender_email().solicited
66 or profile.by_sender().any_messages_malicious_or_spam
67 )
68 and not profile.by_sender().any_false_positives
69
70 // negate highly trusted sender domains unless they fail DMARC authentication
71 and (
72 (
73 sender.email.domain.root_domain in $high_trust_sender_root_domains
74 and not headers.auth_summary.dmarc.pass
75 )
76 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
77 )
78
79 // negate sharepoint file share
80 and not (
81 // based on the message id format
82 (
83 (
84 strings.starts_with(headers.message_id, '<Share-')
85 and strings.ends_with(headers.message_id, '@odspnotify>')
86 )
87 // deal with Google thinking the message ID is "broke"
88 or (
89 strings.icontains(headers.message_id, 'SMTPIN_ADDED_BROKEN')
90 and any(headers.hops,
91 any(.fields,
92 .name == "X-Google-Original-Message-ID"
93 and strings.starts_with(.value, '<Share-')
94 and strings.ends_with(.value, '@odspnotify>')
95 )
96 )
97 )
98 )
99 // all of the "action" links are sharepoint/ms
100 and all(filter(body.links,
101 strings.icontains(subject.subject, .display_text)
102 or .display_text == "Open"
103 ),
104 .href_url.domain.root_domain in ("sharepoint.com")
105 or .href_url.domain.tld == "ms"
106 )
107 )
108
109attack_types:
110 - "Credential Phishing"
111tactics_and_techniques:
112 - "Impersonation: Brand"
113 - "Social engineering"
114detection_methods:
115 - "Computer Vision"
116 - "Content analysis"
117 - "File analysis"
118 - "Natural Language Understanding"
119 - "Sender analysis"
120id: "284b1b70-8daa-5adf-9df8-15d4c6b5ead9"