Link: Suspicious Sharepoint Folder Share
Detection Rule matches on messages which contain a link to a sharepoint shared folder containing a single file which is either a .url file, the filename is all caps, or includes call to action wording. These messages must not be sent from sharepoint and are either not solicited or from a new or outlier sender.
Sublime rule (View on GitHub)
1name: "Link: Suspicious Sharepoint Folder Share"
2description: "Detection Rule matches on messages which contain a link to a sharepoint shared folder containing a single file which is either a .url file, the filename is all caps, or includes call to action wording. These messages must not be sent from sharepoint and are either not solicited or from a new or outlier sender."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and any(filter(body.links,
8 // folder share
9 strings.icontains(.href_url.domain.domain, "-my.sharepoint.com")
10 and strings.icontains(.href_url.url, "/:f:/g/personal")
11
12 // remove links which contains the domain sld in the subdomain (tenenat) name
13 and not any($org_slds,
14 strings.icontains(..href_url.domain.subdomain, .)
15 )
16 ),
17 ( // a shared URL file
18 regex.icontains(ml.link_analysis(., mode="aggressive").final_dom.raw,
19 '<div role="row" aria-label="[^\"]+.url, url File, Shared'
20 )
21 or
22 // the name of the file is all caps allowing for special charaters too
23 regex.contains(ml.link_analysis(., mode="aggressive").final_dom.raw,
24 '<button data-automationid=\"FieldRenderer-name\" data-selection-invoke=\"true\" title="[A-Z0-9_\-\s]+\.[^\"]{3,4}\" role=\"link\" type=\"button\"'
25 )
26 or
27 // includes odd wording
28 regex.icontains(ml.link_analysis(., mode="aggressive").final_dom.raw,
29 '<button data-automationid=\"FieldRenderer-name\" data-selection-invoke=\"true\" title="[^\"]*(?:dropbox|docusign|secured?|important|shared?|protected|encrypted|scanne[rd]|_IMG_|IMG[_-](?:\d|\W)|doc(?:ument)?\s?\d+|one_drive|OneDrive|Access|Review Document|Click Here|Download|validate|Confidential(?:ity)?|payment|invoice|INV(?:_|\s)?\d+|INV(?:_|\s)|P[O0]\W+?\d+|Past Due|Remit(?:tance)?|statement|Purchase Order|settlement|contract agreement|Pr[0o]p[0o]sal|contract doc|EFax|\.\.\.)[^\"]*\.[^\"]{3,4}\" role=\"link\" type=\"button\"'
30 )
31 )
32 // and only a single file shared
33 and strings.icount(ml.link_analysis(., mode="aggressive").final_dom.raw,
34 '<div role="presentation" data-automationid="ListCell" class="ms-List-cell"'
35 ) == 1
36 )
37 // message is not from sharepoint actual
38 and not (
39 strings.starts_with(headers.message_id, '<Share-')
40 and strings.ends_with(headers.message_id, '@odspnotify>')
41 )
42 and (
43 // not solicited
44 not profile.by_sender().solicited
45 // new or outlier sender prevalence
46 or profile.by_sender().prevalence in ("new", "outlier")
47 // marked as spam and no FPs
48 or (
49 profile.by_sender().any_messages_malicious_or_spam
50 and not profile.by_sender().any_false_positives
51 )
52 )
53
54 // negate highly trusted sender domains unless they fail DMARC authentication
55 and (
56 (
57 sender.email.domain.root_domain in $high_trust_sender_root_domains
58 and not headers.auth_summary.dmarc.pass
59 )
60 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
61 )
62attack_types:
63 - "Credential Phishing"
64tactics_and_techniques:
65 - "Free file host"
66 - "Evasion"
67detection_methods:
68 - "HTML analysis"
69 - "Header analysis"
70 - "Sender analysis"
71 - "URL analysis"
72id: "6168a08c-6f4f-599f-877f-52efbba51cc4"