Link: SharePoint OneNote or PDF link with self sender behavior
Detects messages where the sender and recipient are the same address, containing SharePoint links to OneNote or PDF files, with minimal attachments and non-standard message IDs indicating potential abuse of SharePoint services for malicious purposes.
Sublime rule (View on GitHub)
1name: "Link: SharePoint OneNote or PDF link with self sender behavior"
2description: "Detects messages where the sender and recipient are the same address, containing SharePoint links to OneNote or PDF files, with minimal attachments and non-standard message IDs indicating potential abuse of SharePoint services for malicious purposes."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 // self sender
8 and length(recipients.to) == 1
9 and recipients.to[0].email.email == sender.email.email
10 // single link to sharepoint
11 and length(filter(body.current_thread.links,
12 .href_url.domain.root_domain == 'sharepoint.com'
13 // it is either a OneNote or PDF file, or unknown
14 and regex.icontains(.href_url.path,
15 '\/:[obu]:\/(?:p|g\/personal)'
16 )
17 )
18 ) == 1
19 // only one link to sharepoint
20 and length(filter(body.current_thread.links,
21 .href_url.domain.root_domain == 'sharepoint.com'
22 )
23 ) == 1
24 // not sent via sharepoint
25 and not strings.starts_with(headers.message_id, '<Share-')
26 and not strings.ends_with(headers.message_id, '@odspnotify>')
27 // 0 or 1 attachments (this reduces FPs which had many attachments)
28 and length(attachments) - length(filter(attachments,
29 strings.contains(body.html.raw,
30 strings.concat('src="cid:',
31 .content_id
32 )
33 )
34 )
35 ) <= 1
36tags:
37 - "Attack surface reduction"
38attack_types:
39 - "Credential Phishing"
40tactics_and_techniques:
41 - "Evasion"
42 - "Free file host"
43 - "OneNote"
44 - "PDF"
45detection_methods:
46 - "Header analysis"
47 - "URL analysis"
48 - "Sender analysis"
49id: "588e7203-98f8-5ab0-a89a-803ae377bda5"