Link: Secure SharePoint file share from new or unusual sender

 1name: "Link: Secure SharePoint file share from new or unusual sender"
 2description: "This ASR rule detects the use of secure SharePoint links which require recipient verifcation before allowing access to the shared file. This has been observed as a method of evading automated analysis of the shared files' content."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  // SharePoint email indicators
 8  and strings.like(body.current_thread.text,
 9                   "*shared a file with you*",
10                   "*shared with you*",
11                   "*invited you to access a file*"
12  )
13  and strings.icontains(subject.subject, "shared")
14  // the Sharepoint file has been "Protected"
15  and any([body.plain.raw, body.current_thread.text],
16          strings.icontains(.,
17                            "This link only works for the direct recipients of this message"
18          )
19  )
20  and any(body.links, .href_url.domain.root_domain == "sharepoint.com")
21  
22  // sender is uncommon
23  and (
24    profile.by_sender().prevalence in ("new", "rare", "outlier")
25    // or the reply-to address has never sent an email to the org
26    or profile.by_sender().prevalence in ("new")
27  )
28  and not profile.by_sender().solicited  
29tags:
30 - "Attack surface reduction"
31attack_types:
32  - "Credential Phishing"
33tactics_and_techniques:
34  - "Free file host"
35  - "Evasion"
36detection_methods:
37  - "Content analysis"
38  - "Sender analysis"
39id: "74ed3020-50f8-5237-8a4d-bd7665a815aa"