Link: Uncommon SharePoint document type with sender's display name

Detects SharePoint file shares containing personal OneNote or PDF files where the file name matches the sender's display name.

Sublime rule (View on GitHub)

 1name: "Link: Uncommon SharePoint document type with sender's display name"
 2description: "Detects SharePoint file shares containing personal OneNote or PDF files where the file name matches the sender's display name."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  
 8  // Matches the message id observed. DKIM/SPF domains can be custom and therefore are unpredictable.
 9  and (
10    (
11      strings.starts_with(headers.message_id, '<Share-')
12      and strings.ends_with(headers.message_id, '@odspnotify>')
13    )
14    or (
15      any(headers.hops,
16          any(.fields,
17              .name == "X-Google-Original-Message-ID"
18              and strings.starts_with(.value, '<Share-')
19              and strings.ends_with(.value, '@odspnotify>')
20          )
21      )
22    )
23  )
24  
25  // SharePoint email indicators
26  and strings.like(body.current_thread.text,
27                   "*shared a file with you*",
28                   "*shared with you*",
29                   "*invited you to access a file*"
30  )
31  and strings.icontains(subject.subject, "shared")
32  
33  // file name is the sender's name
34  and any(html.xpath(body.html,
35                     '//table[@role="presentation"]//tr[last()]//text()'
36          ).nodes,
37          .display_text =~ sender.display_name
38  )
39  
40  // link logic
41  and any(body.links,
42          .href_url.domain.root_domain == "sharepoint.com"
43          // it is a personal share
44          and (
45            // /g/ is only found with /personal
46            strings.icontains(.href_url.path, '/g/personal/')
47            or strings.icontains(.href_url.path, '/p/')
48          )
49          // it is either a OneNote or PDF
50          and (
51            strings.icontains(.href_url.path, '/:o:/')
52            or strings.icontains(.href_url.path, '/:b:/')
53            or strings.icontains(.href_url.path, '/:u:/')
54          )
55  )  
56tags:
57 - "Attack surface reduction"
58attack_types:
59  - "Credential Phishing"
60tactics_and_techniques:
61  - "Social engineering"
62  - "OneNote"
63  - "PDF"
64detection_methods:
65  - "Content analysis"
66  - "Header analysis"
67  - "HTML analysis"
68  - "URL analysis"
69id: "02d290b2-9cf5-5699-ac0c-e1e595d74d57"

Related rules

to-top