Brand impersonation: Sharepoint
Body, attached images or pdf contains a Sharepoint logo. The message contains a link and credential theft language.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Sharepoint"
2description: |
3 Body, attached images or pdf contains a Sharepoint logo. The message contains a link and credential theft language.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and length(body.links) > 0
9 and (
10 any(attachments,
11 (.file_type in $file_types_images or .file_type == "pdf")
12 and any(ml.logo_detect(.).brands, .name == "Microsoft SharePoint")
13 )
14 or any(ml.logo_detect(file.message_screenshot()).brands,
15 .name == "Microsoft SharePoint"
16 )
17 or strings.istarts_with(strings.replace_confusables(body.current_thread.text),
18 "Sharepoint"
19 )
20 or regex.icontains(body.html.raw,
21 '<img.*(title=|alt=).share.*src=""'
22 ) // broken Sharepoint logo
23 or (
24 strings.icontains(strings.replace_confusables(body.plain.raw), "SharePoint")
25 // message body references file deletion
26 and regex.icontains(body.plain.raw,
27 '(expired )?file\s(was|has been|will be|scheduled (for|to be))\s?delet(ed|ion)'
28 )
29 )
30 or (
31 strings.icontains(body.current_thread.text, 'Sharepoint')
32 and (
33 regex.icontains(body.html.raw, '{(?:domain|randomNumber\d?)}')
34 or any(body.links,
35 regex.icontains(.href_url.url, 'mailto:[^@]+@{domain}')
36 )
37 or regex.icontains(body.html.raw, '<title>[^<]*Easearch[^<]*</title>')
38 )
39 )
40 )
41 and (
42 (
43 any(ml.nlu_classifier(body.current_thread.text).intents,
44 .name == "cred_theft" and .confidence == "high"
45 )
46 //
47 // This rule makes use of a beta feature and is subject to change without notice
48 // using the beta feature in custom rules is not suggested until it has been formally released
49 //
50 or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
51 .name == "cred_theft" and .confidence == "high"
52 )
53 )
54 or any(ml.nlu_classifier(body.current_thread.text).entities,
55 .name == "urgency" and strings.ilike(.text, "*encrypted*")
56 )
57 or any(body.links,
58 regex.imatch(.display_text,
59 '(?:re)?view (?:(?:&|and) (?:e([[:punct:]]|\s)?)?sign )?(?:complete )?(?:document|file)'
60 )
61 )
62 )
63 and not (
64 (
65 (
66 strings.istarts_with(subject.subject, "RE:")
67 or strings.istarts_with(subject.subject, "R:")
68 or strings.istarts_with(subject.subject, "ODG:")
69 or strings.istarts_with(subject.subject, "答复:")
70 or strings.istarts_with(subject.subject, "AW:")
71 or strings.istarts_with(subject.subject, "TR:")
72 or strings.istarts_with(subject.subject, "FWD:")
73 or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
74 or regex.imatch(subject.subject,
75 '^\[?(EXT|EXTERNAL)\]?[: ]\s*(RE|FWD?|FW|AW|TR|ODG|答复):.*'
76 )
77 )
78 and (
79 (length(headers.references) > 0 or headers.in_reply_to is not null)
80 // ensure that there are actual threads
81 and (
82 length(body.previous_threads) > 0
83 or (length(body.html.display_text) - length(body.current_thread.text)) > 200
84 )
85 )
86 )
87 )
88 and (
89 profile.by_sender_email().prevalence != 'common'
90 or not profile.by_sender_email().solicited
91 or profile.by_sender().any_messages_malicious_or_spam
92 )
93 and not profile.by_sender().any_messages_benign
94
95 // negate highly trusted sender domains unless they fail DMARC authentication
96 and (
97 (
98 sender.email.domain.root_domain in $high_trust_sender_root_domains
99 and not headers.auth_summary.dmarc.pass
100 )
101 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
102 )
103
104 // negate sharepoint file share
105 and not (
106 // based on the message id format
107 (
108 (
109 strings.starts_with(headers.message_id, '<Share-')
110 and strings.ends_with(headers.message_id, '@odspnotify>')
111 )
112 // negate legitimate access request to file
113 or (
114 strings.starts_with(headers.message_id, '<Sharing')
115 and strings.ends_with(headers.message_id, '@odspnotify>')
116 )
117 // deal with Google thinking the message ID is "broke"
118 or (
119 strings.icontains(headers.message_id, 'SMTPIN_ADDED_BROKEN')
120 and any(headers.hops,
121 any(.fields,
122 .name == "X-Google-Original-Message-ID"
123 and strings.starts_with(.value, '<Share-')
124 and strings.ends_with(.value, '@odspnotify>')
125 )
126 )
127 )
128 )
129 // all of the "action" links are sharepoint/ms
130 and all(filter(body.links,
131 strings.icontains(subject.subject, .display_text)
132 or .display_text == "Open"
133 ),
134 .href_url.domain.root_domain in ("sharepoint.com")
135 or (
136 .href_url.domain.tld == "ms"
137 // Microsoft does not own the .ms TLD, this checks to ensure it is one of their domains
138 and (
139 network.whois(.href_url.domain).registrant_company == "Microsoft Corporation"
140 or strings.ilike(network.whois(.href_url.domain).registrar_name,
141 "*MarkMonitor*",
142 "*CSC Corporate*",
143 "*com laude*"
144 )
145 )
146 )
147 )
148 )
149 // negate sharepoint file shares with mimecast rewrites
150 and not (
151 // rewritten message ID
152 strings.iends_with(headers.message_id, 'mimecast.lan>')
153 and all(filter(body.links,
154 strings.icontains(subject.subject, .display_text)
155 or .display_text == "Open"
156 ),
157 .href_url.domain.root_domain in (
158 "mimecastprotect.com",
159 "mimecast.com"
160 )
161 and any(.href_url.query_params_decoded["domain"],
162 strings.parse_domain(.).tld == "ms"
163 or strings.parse_domain(.).root_domain == "sharepoint.com"
164 )
165 )
166 )
167attack_types:
168 - "Credential Phishing"
169tactics_and_techniques:
170 - "Impersonation: Brand"
171 - "Social engineering"
172detection_methods:
173 - "Computer Vision"
174 - "Content analysis"
175 - "File analysis"
176 - "Natural Language Understanding"
177 - "Sender analysis"
178id: "284b1b70-8daa-5adf-9df8-15d4c6b5ead9"