Sharepoint online with external recipients and external display name

An email from Sharepoint Online that was sent to multiple recipients that did not originate from a sender, by display name, in your organization.

Sublime rule (View on GitHub)

 1name: "Sharepoint online with external recipients and external display name"
 2description: |
 3    An email from Sharepoint Online that was sent to multiple recipients that did not originate from a sender, by display name, in your organization.
 4type: "rule"
 5authors:
 6  - twitter: "vector_sec"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and sender.email.email == "no-reply@sharepointonline.com"
11  and length(recipients.to) > 40 // You may want to adjust this threshold if 40 is too aggressive
12  and any(recipients.to, .email.domain.domain in $free_email_providers)
13  and sender.display_name not in $org_display_names  
14attack_types:
15  - "Credential Phishing"
16  - "Spam"
17tactics_and_techniques:
18  - "Evasion"
19detection_methods:
20  - "Content analysis"
21  - "Header analysis"
22  - "Sender analysis"
23id: "5579bb4b-a225-57c1-99e1-65c704bad6ad"
to-top