Link: Uncommon SharePoint document type with sender's display name

calendar Aug 5, 2025 · Attack surface reduction  ·
Share on: linkedin copy

Detects SharePoint file shares containing personal OneNote or PDF files where the file name matches the sender's display name.

Sublime rule (View on GitHub)

 1name: "Link: Uncommon SharePoint document type with sender's display name"
 2description: "Detects SharePoint file shares containing personal OneNote or PDF files where the file name matches the sender's display name."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  
 8  // Matches the message id observed. DKIM/SPF domains can be custom and therefore are unpredictable.
 9  and (
10    (
11      strings.starts_with(headers.message_id, '<Share-')
12      and strings.ends_with(headers.message_id, '@odspnotify>')
13    )
14    or (
15      any(headers.hops,
16          any(.fields,
17              .name == "X-Google-Original-Message-ID"
18              and strings.starts_with(.value, '<Share-')
19              and strings.ends_with(.value, '@odspnotify>')
20          )
21      )
22    )
23  )
24  
25  // SharePoint email indicators
26  and strings.like(body.current_thread.text,
27                   "*shared a file with you*",
28                   "*shared with you*",
29                   "*invited you to access a file*"
30  )
31  and strings.icontains(subject.subject, "shared")
32  
33  // file name is the sender's name
34  and any(html.xpath(body.html,
35                     '//table[@role="presentation"]//tr[last()]//text()'
36          ).nodes,
37          .display_text =~ sender.display_name
38  )
39  
40  // link logic
41  and any(body.links,
42          .href_url.domain.root_domain == "sharepoint.com"
43          // it is a personal share
44          and (
45            // /g/ is only found with /personal
46            strings.icontains(.href_url.path, '/g/personal/')
47            or strings.icontains(.href_url.path, '/p/')
48          )
49          // it is either a OneNote or PDF
50          and (
51            strings.icontains(.href_url.path, '/:o:/')
52            or strings.icontains(.href_url.path, '/:b:/')
53            or strings.icontains(.href_url.path, '/:u:/')
54          )
55  )  
56tags:
57 - "Attack surface reduction"
58attack_types:
59  - "Credential Phishing"
60tactics_and_techniques:
61  - "Social engineering"
62  - "OneNote"
63  - "PDF"
64detection_methods:
65  - "Content analysis"
66  - "Header analysis"
67  - "HTML analysis"
68  - "URL analysis"
69id: "02d290b2-9cf5-5699-ac0c-e1e595d74d57"

Related rules

to-top