Brand impersonation: Sharepoint fake file share

calendar Jul 19, 2024  ยท
Share on: linkedin copy

This rule detects messages impersonating a Sharepoint file sharing email where no links point to known Microsoft domains.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Sharepoint fake file share"
 2description: |
 3    This rule detects messages impersonating a Sharepoint file sharing email where no links point to known Microsoft domains.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  
 9  // Sharepoint body content looks like this
10  and strings.like(body.current_thread.text, "*shared a file with you*", "*shared with you*", "*invited you to access a file*")
11  and strings.icontains(subject.subject, "shared")
12  and any(ml.logo_detect(beta.message_screenshot()).brands, .name == "Microsoft")
13
14  // Negate messages when the message-id indciates the message is from MS actual. DKIM/SPF domains can be custom and therefore are unpredictable.
15  and not (
16      strings.starts_with(headers.message_id, '<Share-')
17      and strings.ends_with(headers.message_id, '@odspnotify>')
18  )
19
20  // fake Sharepoint shares are easy to identify if there are any links
21  // that don't point to microsoft[.]com or *.sharepoint[.]com
22  and not all(body.links,
23              .href_url.domain.root_domain in ("1drv.ms", "aka.ms", "microsoft.com", "sharepoint.com")
24  )
25  and sender.email.domain.root_domain not in $org_domains
26  and sender.email.domain.root_domain not in (
27    "bing.com",
28    "microsoft.com",
29    "microsoftonline.com",
30    "microsoftsupport.com",
31    "microsoft365.com",
32    "office.com",
33    "onedrive.com",
34    "sharepointonline.com",
35    "yammer.com",
36    //ignore microsoft privacy statement links
37    "aka.ms"
38  )
39  
40  // negate highly trusted sender domains unless they fail DMARC authentication
41  and (
42    (
43      sender.email.domain.root_domain in $high_trust_sender_root_domains
44      and not headers.auth_summary.dmarc.pass
45    )
46    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
47  )
48  and (
49    (
50      not profile.by_sender().solicited
51    )
52    or (
53      profile.by_sender().any_messages_malicious_or_spam
54      and not profile.by_sender().any_false_positives
55    )
56  )
57  and not profile.by_sender().any_false_positives  
58
59attack_types:
60  - "Credential Phishing"
61  - "Malware/Ransomware"
62detection_methods:
63  - "Content analysis"
64  - "Header analysis"
65  - "URL analysis"
66  - "Computer Vision"
67tactics_and_techniques:
68  - "Impersonation: Brand"
69  - "Social engineering"
70id: "ff8b296b-aa0d-5df0-b4d2-0e599b688f6a"
to-top