Link: SharePoint files shared from GoDaddy federated tenants
This matches on inbound Shared File notiifcation emails from Microsoft, where any link to SharePoint contains a default GoDaddy Federated Tenant Name. These have been observed being frequently abused to send credential phishing campaigns.
Sublime rule (View on GitHub)
1name: "Link: SharePoint files shared from GoDaddy federated tenants"
2description: "This matches on inbound Shared File notiifcation emails from Microsoft, where any link to SharePoint contains a default GoDaddy Federated Tenant Name. These have been observed being frequently abused to send credential phishing campaigns."
3type: "rule"
4severity: "low"
5source: |
6 type.inbound
7 // Matches the message id observed. DKIM/SPF domains can be custom and therefore are unpredictable.
8 and strings.starts_with(headers.message_id, '<Share-')
9 and strings.ends_with(headers.message_id, '@odspnotify>')
10
11 // subject matches the default "shared <filename> with you" format
12 and strings.ends_with(subject.subject, ' with you')
13
14 // any of the links are the default netorgft name from GoDaddy
15 and any(body.links,
16 // Default GoDaddy tenant names
17 strings.starts_with(.href_url.domain.subdomain, 'netorg')
18 and .href_url.domain.root_domain == "sharepoint.com"
19 )
20
21 // and sender has never had email sent to them
22 and not profile.by_sender().solicited
23
24 // and there haven't been any FPs reported for the sender
25 and not profile.by_sender().any_false_positives
26tags:
27 - "Attack surface reduction"
28attack_types:
29 - "Credential Phishing"
30tactics_and_techniques:
31 - "Evasion"
32detection_methods:
33 - "Sender analysis"
34 - "URL analysis"
35id: "0e26cdd2-cf19-53ed-8b30-b3e2e7ea912f"