Sharepoint online with external recipients and external display name
An email from Sharepoint Online that was sent to multiple recipients that did not originate from a sender, by display name, in your organization.
Sublime rule (View on GitHub)
1name: "Sharepoint online with external recipients and external display name"
2description: |
3 An email from Sharepoint Online that was sent to multiple recipients that did not originate from a sender, by display name, in your organization.
4type: "rule"
5authors:
6 - twitter: "vector_sec"
7severity: "medium"
8source: |
9 type.inbound
10 and sender.email.email == "no-reply@sharepointonline.com"
11 and length(recipients.to) > 40 // You may want to adjust this threshold if 40 is too aggressive
12 and any(recipients.to, .email.domain.domain in $free_email_providers)
13 and sender.display_name not in $org_display_names
14attack_types:
15 - "Credential Phishing"
16 - "Spam"
17tactics_and_techniques:
18 - "Evasion"
19detection_methods:
20 - "Content analysis"
21 - "Header analysis"
22 - "Sender analysis"
23id: "5579bb4b-a225-57c1-99e1-65c704bad6ad"