Link: SharePoint filename matches org name

Detects when a SharePoint or OneDrive shared file link contains suspicious filename patterns that match organizational naming patterns, indicating potential impersonation. This has been observed in conjuction with native Microsoft Sharepoint share verification via email and One Time Password.

Sublime rule (View on GitHub)

 1name: "Link: SharePoint filename matches org name"
 2description: "Detects when a SharePoint or OneDrive shared file link contains suspicious filename patterns that match organizational naming patterns, indicating potential impersonation.  This has been observed in conjuction with native Microsoft Sharepoint share verification via email and One Time Password. "
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and strings.ilike(subject.subject, "*shared*", "*invit*")
 8  and strings.ilike(body.current_thread.text,
 9                    "*shared a file with you*",
10                    "*shared with you*",
11                    "*invited you to access a file*"
12  )
13  and not strings.ilike(body.current_thread.text, "invited you to edit")
14  and (
15    // use the display text of the link to determine the name of the file
16    any(filter(body.links,
17               (
18                 .href_url.domain.root_domain == "sharepoint.com"
19                 or .href_url.domain.root_domain == "1drv.ms"
20                 // handle urls with mimecast rewriting
21                 or (
22                   .href_url.domain.root_domain == 'mimecastprotect.com'
23                   and strings.icontains(.href_url.query_params,
24                                         '.sharepoint.com'
25                   )
26                 )
27               )
28               and .display_text != "Open"
29        ),
30  
31  
32        // the document name is the same as the org name
33        // as determined by the footer 
34        (
35          strings.icontains(body.current_thread.text,
36                            strings.concat('This email is generated through ',
37                                           .display_text
38                            )
39          )
40          and strings.icontains(body.current_thread.text,
41                                strings.concat("\'s use of Microsoft 365 and may contain content that is controlled by ",
42                                               .display_text
43                                )
44          )
45        )
46    )
47  )  
48attack_types:
49  - "Credential Phishing"
50tactics_and_techniques:
51  - "Impersonation: Employee"
52  - "Social engineering"
53detection_methods:
54  - "Content analysis"
55  - "URL analysis"
56id: "cb954726-12ac-5956-b4d1-55fcf3b4bd95"
to-top