Link: Secure SharePoint file share from new or unusual sender

calendar Jul 8, 2024 · Attack surface reduction  ·
Share on: linkedin copy

This ASR rule detects the use of secure SharePoint links which require recipient verifcation before allowing access to the shared file. This has been observed as a method of evading automated analysis of the shared files' content.

Sublime rule (View on GitHub)

 1name: "Link: Secure SharePoint file share from new or unusual sender"
 2description: "This ASR rule detects the use of secure SharePoint links which require recipient verifcation before allowing access to the shared file. This has been observed as a method of evading automated analysis of the shared files' content."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  // SharePoint email indicators
 8  and strings.like(body.current_thread.text,
 9                   "*shared a file with you*",
10                   "*shared with you*",
11                   "*invited you to access a file*"
12  )
13  and strings.icontains(subject.subject, "shared")
14  // the Sharepoint file has been "Protected"
15  and any([body.plain.raw, body.current_thread.text],
16          strings.icontains(.,
17                            "This link only works for the direct recipients of this message"
18          )
19  )
20  and any(body.links, .href_url.domain.root_domain == "sharepoint.com")
21  
22  // sender is uncommon
23  and profile.by_sender().prevalence in ("new", "rare", "outlier")
24  and not profile.by_sender().solicited  
25tags:
26 - "Attack surface reduction"
27attack_types:
28  - "Credential Phishing"
29tactics_and_techniques:
30  - "Free file host"
31  - "Evasion"
32detection_methods:
33  - "Content analysis"
34  - "Sender analysis"
35id: "74ed3020-50f8-5237-8a4d-bd7665a815aa"

Related rules

to-top