Link: Secure SharePoint file share from new or unusual sender
This ASR rule detects the use of secure SharePoint links which require recipient verifcation before allowing access to the shared file. This has been observed as a method of evading automated analysis of the shared files' content.
Sublime rule (View on GitHub)
1name: "Link: Secure SharePoint file share from new or unusual sender"
2description: "This ASR rule detects the use of secure SharePoint links which require recipient verifcation before allowing access to the shared file. This has been observed as a method of evading automated analysis of the shared files' content."
3type: "rule"
4severity: "low"
5source: |
6 type.inbound
7 // SharePoint email indicators
8 and strings.like(body.current_thread.text,
9 "*shared a file with you*",
10 "*shared with you*",
11 "*invited you to access a file*"
12 )
13 and strings.icontains(subject.subject, "shared")
14 // the Sharepoint file has been "Protected"
15 and any([body.plain.raw, body.current_thread.text],
16 strings.icontains(.,
17 "This link only works for the direct recipients of this message"
18 )
19 )
20 and any(body.links, .href_url.domain.root_domain == "sharepoint.com")
21
22 // sender is uncommon
23 and (
24 (
25 profile.by_sender().prevalence in ("new", "rare", "outlier")
26 and not profile.by_sender().solicited
27 )
28 // or the reply-to address has never sent an email to the org
29 or (
30 sender.email.domain.root_domain == "sharepointonline.com"
31 and beta.profile.by_reply_to().prevalence == "new"
32 )
33 // or the message contains suspect language
34 or (
35 regex.icontains(body.current_thread.text,
36 '(kindly)'
37 )
38 )
39 )
40tags:
41 - "Attack surface reduction"
42attack_types:
43 - "Credential Phishing"
44tactics_and_techniques:
45 - "Free file host"
46 - "Evasion"
47detection_methods:
48 - "Content analysis"
49 - "Sender analysis"
50id: "74ed3020-50f8-5237-8a4d-bd7665a815aa"