Link: Personal SharePoint with invalid recipients and credential theft language

 1name: "Link: Personal SharePoint with invalid recipients and credential theft language"
 2description: "Detects messages with undisclosed or invalid recipients containing a single link to a personal SharePoint domain (with '-my' pattern) and high-confidence credential theft language in short message body."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // undisclosed recipients or no recipients
 8  and (
 9    length(recipients.to) == 0
10    or (
11      all(recipients.to, .email.domain.valid == false)
12      and all(recipients.cc, .email.domain.valid == false)
13    )
14  )
15  // no previous threads
16  and length(body.previous_threads) == 0
17  // personal SharePoint domain pattern (firstname-my.sharepoint.com or similar)
18  and any(body.links,
19          .href_url.domain.root_domain == "sharepoint.com"
20          and strings.icontains(.href_url.domain.subdomain, "-my")
21  )
22  // high confidence credential theft intent from ML
23  and any(ml.nlu_classifier(body.current_thread.text).intents,
24          .name == "cred_theft" and .confidence in ("medium", "high")
25  )
26  // and message is relatively short and contains a single link
27  and (
28    length(body.current_thread.text) < 1500
29    and length(body.current_thread.links) == 1
30  )  
31attack_types:
32  - "Credential Phishing"
33tactics_and_techniques:
34  - "Social engineering"
35detection_methods:
36  - "Content analysis"
37  - "Header analysis"
38  - "Natural Language Understanding"
39  - "URL analysis"
40id: "79d5403d-dc0f-5696-bc6d-f891ed707755"