Impersonation: SharePoint Reply Header Anomaly

 1name: "Impersonation: SharePoint Reply Header Anomaly"
 2description: "Detects messages with SharePoint reply headers that lack standard reply characteristics and contain inconsistencies in thread elements and recipient patterns"
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // appears to be a reply 
 8  and strings.istarts_with(headers.in_reply_to, '<Share-')
 9  and strings.ends_with(headers.in_reply_to, '@odspnotify>')
10  and any([body.current_thread.text, body.plain.raw],
11      strings.ilike(.,
12                    "*shared a file with you*",
13                    "*shared with you*",
14                    "*invited you to access a file*",
15                    "*received a document*",
16                    "*shared a document*",
17                    "*shared a new document*",
18                    "*shared this document*"
19      )
20  )
21  and ( // but lacks other reply elements
22    not (
23      strings.istarts_with(subject.subject, "RE:")
24      or strings.istarts_with(subject.subject, "RES:")
25      or strings.istarts_with(subject.subject, "R:")
26      or strings.istarts_with(subject.subject, "ODG:")
27      or strings.istarts_with(subject.subject,
28                              "答复:"
29      ) // response
30      or strings.istarts_with(subject.subject,
31                              "回复:"
32      ) // reply
33      or strings.istarts_with(subject.subject, "AW:")
34      or strings.istarts_with(subject.subject, "TR:")
35      or strings.istarts_with(subject.subject, "FWD:")
36      or strings.istarts_with(subject.subject, "Resposta automática:")
37      or strings.istarts_with(subject.subject, "Automatische Antwort:")
38      or strings.istarts_with(subject.subject, "Autosvar:")
39      or regex.icontains(subject.subject,
40                         '^(?:(?:\[[^\]]+\]\s?|EXT(?:ERNAL)?\s?){0,3}|[[:punct:]]{0,3}\w+[[:punct:]]{0,3}\s)(?:r[ev]|fwd?|tr|aw|automat(ic|ed) reply)\s?:'
41      )
42    )
43    // the sender is the recipient 
44    // or the recipients are hidden
45    or (
46      (
47        sender.email.email in map(recipients.to, .email.email)
48        and sum([
49                  length(recipients.bcc),
50                  length(recipients.to),
51                  length(recipients.cc)
52                ]
53        ) == 1
54      )
55      or length(recipients.to) == 0
56      or all(recipients.to, .email.email is null or .email.email == "")
57    )
58  )
59  
60  // lack a previous thread with sharepoint stuff
61  and not any([body.current_thread.text, body.html.display_text, body.plain.raw],
62              3 of (
63                strings.icontains(., "from:"),
64                strings.icontains(., "to:"),
65                strings.icontains(., "sent:"),
66                strings.icontains(., "date:"),
67                strings.icontains(., "cc:"),
68                strings.icontains(., "subject:")
69              )
70              and regex.icontains(.,
71                                  '(?:from|to|sent|date|cc|subject|wrote):.*shared with you',
72                                  '(?:from|to|sent|date|cc|subject|wrote):.*shared the folder .* with you',
73                                  '(?:from|to|sent|date|cc|subject|wrote):.*invited you to view a file',
74              )
75  )
76  
77  // negate bouncebacks and undeliverables
78  and not any(attachments,
79              .content_type in (
80                "message/global-delivery-status",
81                "message/delivery-status"
82              )
83  )  
84
85attack_types:
86  - "Credential Phishing"
87tactics_and_techniques:
88  - "Social engineering"
89  - "Impersonation: Brand"
90  - "Evasion"
91  - "Spoofing"
92detection_methods:
93  - "Header analysis"
94  - "Content analysis"
95  - "Sender analysis"
96id: "78875848-71ba-5685-ba1c-00c5269cad23"