Link: Suspicious SharePoint document name
The detection rule is intended to match on emails sent from SharePoint indicating a shared file to the recipient that contain suspicious content within the document name. The Link display text is leveraged to identify the name of the shared file.
Sublime rule (View on GitHub)
1name: "Link: Suspicious SharePoint document name"
2description: "The detection rule is intended to match on emails sent from SharePoint indicating a shared file to the recipient that contain suspicious content within the document name. The Link display text is leveraged to identify the name of the shared file."
3type: "rule"
4severity: "low"
5source: |
6 type.inbound
7 and strings.ilike(subject.subject, "*shared*", "*invit*")
8 and strings.ilike(body.current_thread.text,
9 "*shared a file with you*",
10 "*shared with you*",
11 "*invited you to access a file*"
12 )
13 and not strings.ilike(body.current_thread.text, "invited you to edit")
14 and (
15 // use the display text of the link to determine the name of the file
16 any(filter(body.links,
17 (
18 .href_url.domain.root_domain == "sharepoint.com"
19 or .href_url.domain.root_domain == "1drv.ms"
20 // handle urls with mimecast rewriting
21 or (
22 .href_url.domain.root_domain == 'mimecastprotect.com'
23 and strings.icontains(.href_url.query_params,
24 '.sharepoint.com'
25 )
26 )
27 )
28 and .display_text != "Open"
29 ),
30
31 // the file name does not include lowercase letters, while allowing for non letter chars
32 regex.match(.display_text, '^[^a-z]+$')
33
34 // file sharing service references
35 or strings.icontains(.display_text, 'dropbox')
36 or strings.icontains(.display_text, 'docusign')
37
38 // file name lures
39 // secure theme
40 or regex.icontains(.display_text, 'secured?.*(?:file|document|docs|fax)')
41 or regex.icontains(.display_text, 'important.*(?:file|document|docs|fax)')
42 or regex.icontains(.display_text, 'shared?.*(?:file|document|docs|fax)')
43 or regex.icontains(.display_text, 'protected.*(?:file|document|docs|fax)')
44 or regex.icontains(.display_text, 'encrypted.*(?:file|document|docs|fax)')
45
46 // scanner theme
47 or strings.icontains(.display_text, 'scanne[rd]_')
48 // image themed
49 or strings.icontains(.display_text, '_IMG_')
50 or regex.icontains(.display_text, '^IMG[_-](?:\d|\W)+$')
51
52 // digits
53 or regex.icontains(.display_text, 'doc(?:ument)?\s?\d+$')
54 or regex.icontains(.display_text, '^\d+$')
55
56 // onedrive theme
57 or strings.icontains(.display_text, 'one_docx')
58 or strings.icontains(.display_text, 'OneDrive')
59 or regex.icontains(.display_text, 'A document.*One.?Drive')
60
61 // action in file name
62 or strings.icontains(.display_text, 'click here')
63 or strings.icontains(.display_text, 'Download PDF')
64 or strings.icontains(.display_text, 'Validate')
65
66 // limited file name to "confidential"
67 or .display_text =~ 'Confidentiality'
68 or .display_text =~ 'Confidential'
69
70 // invoice themes
71 or any(ml.nlu_classifier(.display_text).entities, .name == "financial")
72 or strings.icontains(.display_text, 'payment')
73 or strings.icontains(.display_text, 'invoice')
74 or regex.icontains(.display_text, 'INV(?:_|\s)?\d+$')
75 // starts with INV_ or INV\x20
76 or regex.icontains(.display_text, '^INV(?:_|\s)')
77 or regex.icontains(.display_text, 'P[O0]\W+?\d+$')
78 or strings.icontains(.display_text, 'receipt')
79 or strings.icontains(.display_text, 'billing')
80 or (
81 strings.icontains(.display_text, 'statement')
82 and not .display_text =~ "Privacy Statement"
83 )
84 or strings.icontains(.display_text, 'Past Due')
85 or regex.icontains(.display_text, 'Remit(tance)?')
86 or strings.icontains(.display_text, 'Purchase Order')
87
88 // contract language
89 or strings.icontains(.display_text, 'settlement')
90 or strings.icontains(.display_text, 'contract agreement')
91 or regex.icontains(.display_text, 'Pr[0o]p[0o]sal')
92 or strings.icontains(.display_text, 'contract doc')
93
94 // generic document name AND additional suspicious indicator
95 or (
96 regex.imatch(.display_text, 'documents?')
97 and (
98 // Find the share comment in the HTML and check for reply/forward "impersonation"
99 regex.icontains(body.html.raw,
100 '<p style="font-size:16px;color:#323130;margin:40px 20px 28px">(re|fwd?)'
101 )
102 )
103 )
104
105 // Payroll/HR
106 // section also used in abuse_dropbox_sus_names.yml with modified input
107 or strings.icontains(.display_text, 'Payroll')
108 or strings.icontains(.display_text, 'Employee Pay\b')
109 or strings.icontains(.display_text, 'Salary')
110 or strings.icontains(.display_text, 'Benefit Enrollment')
111 or strings.icontains(.display_text, 'Employee Handbook')
112 or strings.icontains(.display_text, 'Reimbursement Approved')
113 or regex.icontains(.display_text,
114 '(?:Faculty|Staff)\s*(?:\w+\s+){0,3}\s*Eval(?:uation)?'
115 )
116
117 // pattern of `sld - open items`
118 or strings.istarts_with(.display_text,
119 strings.concat(sender.email.domain.sld, ' - ')
120 )
121 )
122 )
123 and (
124 // and sender has never had email sent to them
125 profile.by_sender().solicited == false
126 // often times no-reply is soliticed due to various behaviors
127 or sender.email.email == "no-reply@sharepointonline.com"
128 )
129attack_types:
130 - "Credential Phishing"
131tactics_and_techniques:
132 - "Free file host"
133 - "Evasion"
134detection_methods:
135 - "Content analysis"
136id: "f95fee6e-8127-5888-a9a9-4bbeabfe33a3"