Link: SharePoint filename matches org name

calendar Feb 6, 2026  ·
Share on: linkedin copy

Detects messages claiming to share files via SharePoint or OneDrive where the shared file name pattern matches the organizational naming pattern, indicating potential abuse of legitimate file sharing services to impersonate organizations.

Sublime rule (View on GitHub)

 1name: "Link: SharePoint filename matches org name"
 2description: "Detects messages claiming to share files via SharePoint or OneDrive where the shared file name pattern matches the organizational naming pattern, indicating potential abuse of legitimate file sharing services to impersonate organizations."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and strings.ilike(subject.subject, "*shared*", "*invit*")
 8  and strings.ilike(body.current_thread.text,
 9                    "*shared a file with you*",
10                    "*shared with you*",
11                    "*invited you to access a file*"
12  )
13  and not strings.ilike(body.current_thread.text, "invited you to edit")
14  and (
15    // use the display text of the link to determine the name of the file
16    any(filter(body.current_thread.links,
17               .href_url.domain.domain not in $tenant_domains
18               and (
19                 .href_url.domain.root_domain == "sharepoint.com"
20                 or .href_url.domain.root_domain == "1drv.ms"
21                 // handle urls with mimecast rewriting
22                 or (
23                   .href_url.domain.root_domain == 'mimecastprotect.com'
24                   and strings.icontains(.href_url.query_params,
25                                         '.sharepoint.com'
26                   )
27                 )
28               )
29               and .display_text != "Open"
30        ),
31        .display_text =~ sender.email.domain.sld
32        or any(regex.extract(body.current_thread.text,
33                             "generated through (?P<org_name>[^']+)'s use"
34               ),
35               // the document name is the same as the org name as determined by the footer
36               // this checks that the display_text starts with the org_name
37               strings.istarts_with(.named_groups["org_name"], ..display_text)
38  
39               // this checks that the org_name is a substring of the display_text
40               // it is in effect the "reverse" of the above check
41               or (
42                 (
43                   strings.istarts_with(..display_text, .named_groups["org_name"])
44                   or strings.iends_with(..display_text,
45                                         .named_groups["org_name"]
46                   )
47                 )
48                 and (
49                   length(.named_groups["org_name"]) / (
50                     length(..display_text) * 1.0
51                   )
52                 ) > 0.45
53               )
54        )
55    )
56  )  
57
58attack_types:
59  - "Credential Phishing"
60tactics_and_techniques:
61  - "Impersonation: Employee"
62  - "Social engineering"
63detection_methods:
64  - "Content analysis"
65  - "URL analysis"
66id: "cb954726-12ac-5956-b4d1-55fcf3b4bd95"
to-top