Link: Secure SharePoint file share from new or unusual sender

 1name: "Link: Secure SharePoint file share from new or unusual sender"
 2description: "This ASR rule detects the use of secure SharePoint links which require recipient verifcation before allowing access to the shared file. This has been observed as a method of evading automated analysis of the shared files' content."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  // SharePoint email indicators
 8  and strings.like(body.current_thread.text,
 9                   "*shared a file with you*",
10                   "*shared with you*",
11                   "*invited you to access a file*"
12  )
13  and strings.icontains(subject.subject, "shared")
14  // the Sharepoint file has been "Protected"
15  and any([body.plain.raw, body.current_thread.text],
16          strings.icontains(.,
17                            "This link only works for the direct recipients of this message"
18          )
19  )
20  and any(body.links, .href_url.domain.root_domain == "sharepoint.com")
21  
22  // sender is uncommon
23  and (
24    (
25      profile.by_sender_email().prevalence in ("new", "rare", "outlier")
26      and not profile.by_sender_email().solicited
27    )
28    // or the reply-to address has never sent an email to the org
29    or (
30      sender.email.domain.root_domain == "sharepointonline.com"
31      and beta.profile.by_reply_to().prevalence == "new"
32    )
33    // or the message contains suspect language
34    or (
35      regex.icontains(body.current_thread.text,
36                      '(kindly)'
37      )
38    )
39  )  
40tags:
41 - "Attack surface reduction"
42attack_types:
43  - "Credential Phishing"
44tactics_and_techniques:
45  - "Free file host"
46  - "Evasion"
47detection_methods:
48  - "Content analysis"
49  - "Sender analysis"
50id: "74ed3020-50f8-5237-8a4d-bd7665a815aa"