Link: Suspicious Sharepoint Folder Share

 1name: "Link: Suspicious Sharepoint Folder Share"
 2description: "Detection Rule matches on messages which contain a link to a sharepoint shared folder containing a single file which is either a .url file, the filename is all caps, or includes call to action wording.  These messages must not be sent from sharepoint and are either not solicited or from a new or outlier sender."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(filter(body.links,
 8                 // folder share
 9                 strings.icontains(.href_url.domain.domain, "-my.sharepoint.com")
10                 and strings.icontains(.href_url.url, "/:f:/g/personal")
11                 
12                 // remove links which contains the domain sld in the subdomain (tenenat) name
13                 and not any($org_slds,
14                             strings.icontains(..href_url.domain.subdomain, .)
15                 )
16          ),
17          ( // a shared URL file
18            regex.icontains(ml.link_analysis(., mode="aggressive").final_dom.raw,
19                            '<div role="row" aria-label="[^\"]+.url, url File, Shared'
20            )
21            or 
22            // the name of the file is all caps allowing for special charaters too
23            regex.contains(ml.link_analysis(., mode="aggressive").final_dom.raw,
24                           '<button data-automationid=\"FieldRenderer-name\" data-selection-invoke=\"true\" title="[A-Z0-9_\-\s]+\.[^\"]{3,4}\" role=\"link\" type=\"button\"'
25            )
26            or 
27            // includes odd wording
28            regex.icontains(ml.link_analysis(., mode="aggressive").final_dom.raw,
29                            '<button data-automationid=\"FieldRenderer-name\" data-selection-invoke=\"true\" title="[^\"]*(?:dropbox|docusign|secured?|important|shared?|protected|encrypted|scanne[rd]|_IMG_|IMG[_-](?:\d|\W)|doc(?:ument)?\s?\d+|one_drive|OneDrive|Access|Review Document|Click Here|Download|validate|Confidential(?:ity)?|payment|invoice|INV(?:_|\s)?\d+|INV(?:_|\s)|P[O0]\W+?\d+|Past Due|Remit(?:tance)?|statement|Purchase Order|settlement|contract agreement|Pr[0o]p[0o]sal|contract doc|EFax|\.\.\.)[^\"]*\.[^\"]{3,4}\" role=\"link\" type=\"button\"'
30            )
31          )
32          // and only a single file shared
33          and strings.icount(ml.link_analysis(., mode="aggressive").final_dom.raw,
34                             '<div role="presentation" data-automationid="ListCell" class="ms-List-cell"'
35          ) == 1
36  )
37  // message is not from sharepoint actual
38  and not (
39    strings.starts_with(headers.message_id, '<Share-')
40    and strings.ends_with(headers.message_id, '@odspnotify>')
41  )
42  and (
43    // not solicited
44    not profile.by_sender().solicited
45    // new or outlier sender prevalence
46    or profile.by_sender().prevalence in ("new", "outlier")
47    // marked as spam and no FPs
48    or (
49      profile.by_sender().any_messages_malicious_or_spam
50      and not profile.by_sender().any_false_positives
51    )
52  )
53  
54  // negate highly trusted sender domains unless they fail DMARC authentication
55  and (
56    (
57      sender.email.domain.root_domain in $high_trust_sender_root_domains
58      and not headers.auth_summary.dmarc.pass
59    )
60    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
61  )  
62attack_types:
63  - "Credential Phishing"
64tactics_and_techniques:
65  - "Free file host"
66  - "Evasion"
67detection_methods:
68  - "HTML analysis"
69  - "Header analysis"
70  - "Sender analysis"
71  - "URL analysis"
72id: "6168a08c-6f4f-599f-877f-52efbba51cc4"