Link: Uncommon SharePoint document type with sender's display name
Detects SharePoint file shares containing personal OneNote or PDF files where the file name matches the sender's display name.
Sublime rule (View on GitHub)
1name: "Link: Uncommon SharePoint document type with sender's display name"
2description: "Detects SharePoint file shares containing personal OneNote or PDF files where the file name matches the sender's display name."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7
8 // Matches the message id observed. DKIM/SPF domains can be custom and therefore are unpredictable.
9 and (
10 (
11 strings.starts_with(headers.message_id, '<Share-')
12 and strings.ends_with(headers.message_id, '@odspnotify>')
13 )
14 or (
15 any(headers.hops,
16 any(.fields,
17 .name == "X-Google-Original-Message-ID"
18 and strings.starts_with(.value, '<Share-')
19 and strings.ends_with(.value, '@odspnotify>')
20 )
21 )
22 )
23 )
24
25 // SharePoint email indicators
26 and strings.like(body.current_thread.text,
27 "*shared a file with you*",
28 "*shared with you*",
29 "*invited you to access a file*"
30 )
31 and strings.icontains(subject.subject, "shared")
32
33 // file name is the sender's name
34 and any(html.xpath(body.html,
35 '//table[@role="presentation"]//tr[last()]//text()'
36 ).nodes,
37 .display_text =~ sender.display_name
38 )
39
40 // link logic
41 and any(body.links,
42 .href_url.domain.root_domain == "sharepoint.com"
43 // it is a personal share
44 and (
45 // /g/ is only found with /personal
46 strings.icontains(.href_url.path, '/g/personal/')
47 or strings.icontains(.href_url.path, '/p/')
48 )
49 // it is either a OneNote or PDF
50 and (
51 strings.icontains(.href_url.path, '/:o:/')
52 or strings.icontains(.href_url.path, '/:b:/')
53 or strings.icontains(.href_url.path, '/:u:/')
54 )
55 )
56tags:
57 - "Attack surface reduction"
58attack_types:
59 - "Credential Phishing"
60tactics_and_techniques:
61 - "Social engineering"
62 - "OneNote"
63 - "PDF"
64detection_methods:
65 - "Content analysis"
66 - "Header analysis"
67 - "HTML analysis"
68 - "URL analysis"
69id: "02d290b2-9cf5-5699-ac0c-e1e595d74d57"