Brand impersonation: Sharepoint

Body, attached images or pdf contains a Sharepoint logo. The message contains a link and credential theft language.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Sharepoint"
  2description: |
  3    Body, attached images or pdf contains a Sharepoint logo. The message contains a link and credential theft language.
  4type: "rule"
  5severity: "high"
  6source: |
  7  type.inbound
  8  and length(body.links) > 0
  9  and (
 10    any(attachments,
 11        (.file_type in $file_types_images or .file_type == "pdf")
 12        and any(ml.logo_detect(.).brands, .name == "Microsoft SharePoint")
 13    )
 14    or any(ml.logo_detect(beta.message_screenshot()).brands,
 15           .name == "Microsoft SharePoint"
 16    )
 17    or strings.istarts_with(strings.replace_confusables(body.current_thread.text), "Sharepoint")
 18    or regex.icontains(body.html.raw, '<img.*(title=|alt=).share.*src=""')  // broken Sharepoint logo
 19  )
 20  and (
 21    (
 22      any(ml.nlu_classifier(body.current_thread.text).intents,
 23          .name == "cred_theft" and .confidence == "high"
 24      )
 25      or any(file.explode(beta.message_screenshot()),
 26             any(ml.nlu_classifier(.scan.ocr.raw).intents,
 27                 .name == "cred_theft" and .confidence == "high"
 28             )
 29      )
 30    )
 31    or any(ml.nlu_classifier(body.current_thread.text).entities,
 32           .name == "urgency" and strings.ilike(.text, "*encrypted*")
 33    )
 34  )
 35
 36  and (
 37    not (
 38      (
 39        strings.istarts_with(subject.subject, "RE:")
 40        or strings.istarts_with(subject.subject, "R:")
 41        or strings.istarts_with(subject.subject, "ODG:")
 42        or strings.istarts_with(subject.subject, "答复:")
 43        or strings.istarts_with(subject.subject, "AW:")
 44        or strings.istarts_with(subject.subject, "TR:")
 45        or strings.istarts_with(subject.subject, "FWD:")
 46        or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
 47        or regex.imatch(subject.subject,
 48                        '^\[?(EXT|EXTERNAL)\]?[: ]\s*(RE|FWD?|FW|AW|TR|ODG|答复):.*'
 49        )
 50      )
 51      and (
 52        (
 53          length(headers.references) > 0
 54          or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
 55        )
 56        // ensure that there are actual threads
 57        and (length(body.html.display_text) - length(body.current_thread.text)) > 200
 58      )
 59    )
 60    or length(body.current_thread.text) == 0
 61  )
 62  
 63  and (
 64    profile.by_sender_email().prevalence != 'common'
 65    or not profile.by_sender_email().solicited
 66    or profile.by_sender().any_messages_malicious_or_spam
 67  )
 68  and not profile.by_sender().any_false_positives
 69  
 70  // negate highly trusted sender domains unless they fail DMARC authentication
 71  and (
 72    (
 73      sender.email.domain.root_domain in $high_trust_sender_root_domains
 74      and not headers.auth_summary.dmarc.pass
 75    )
 76    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
 77  )
 78
 79  // negate sharepoint file share
 80  and not (
 81    // based on the message id format
 82    (
 83      (
 84        strings.starts_with(headers.message_id, '<Share-')
 85        and strings.ends_with(headers.message_id, '@odspnotify>')
 86      )
 87      // deal with Google thinking the message ID is "broke"
 88      or (
 89        strings.icontains(headers.message_id, 'SMTPIN_ADDED_BROKEN')
 90        and any(headers.hops,
 91                any(.fields,
 92                    .name == "X-Google-Original-Message-ID"
 93                    and strings.starts_with(.value, '<Share-')
 94                    and strings.ends_with(.value, '@odspnotify>')
 95                )
 96        )
 97      )
 98    )
 99    // all of the "action" links are sharepoint/ms
100    and all(filter(body.links,
101                   strings.icontains(subject.subject, .display_text)
102                   or .display_text == "Open"
103            ),
104            .href_url.domain.root_domain in ("sharepoint.com")
105            or .href_url.domain.tld == "ms"
106    )
107  )  
108
109attack_types:
110  - "Credential Phishing"
111tactics_and_techniques:
112  - "Impersonation: Brand"
113  - "Social engineering"
114detection_methods:
115  - "Computer Vision"
116  - "Content analysis"
117  - "File analysis"
118  - "Natural Language Understanding"
119  - "Sender analysis"
120id: "284b1b70-8daa-5adf-9df8-15d4c6b5ead9"
to-top