Service abuse: Citrix ShareFile impersonation via Outlook plugin

calendar Jun 5, 2026  ·
Share on: linkedin copy

Detects inbound messages with Word document attachments containing references to sharefile.com and Outlook plugin system indicators, suggesting abuse of legitimate file sharing services to deliver malicious content.

Sublime rule (View on GitHub)

 1name: "Service abuse: Citrix ShareFile impersonation via Outlook plugin"
 2description: "Detects inbound messages with Word document attachments containing references to sharefile.com and Outlook plugin system indicators, suggesting abuse of legitimate file sharing services to deliver malicious content."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          .file_type in ("doc", "docx")
 9          and any(file.explode(.),
10                  strings.icontains(.scan.strings.raw, "sharefile.com")
11                  and strings.icontains(.scan.strings.raw,
12                                        "src=system-email-outlookplugin-new"
13                  )
14          )
15  )    
16attack_types:
17  - "BEC/Fraud"
18  - "Credential Phishing"
19tactics_and_techniques:
20  - "Free file host"
21  - "Social engineering"
22detection_methods:
23  - "File analysis"
24  - "Content analysis"
25id: "29f07b46-d766-5aac-a4c3-78ddd0fec481"
to-top