Service abuse: File sharing impersonation with external SharePoint links
Detects inbound messages claiming to share files or invite access, containing SharePoint or OneDrive links from external domains. The rule identifies suspicious sharing notifications where link display text matches the sender's name rather than a legitimate document name, indicating potential impersonation of legitimate file sharing services.
Sublime rule (View on GitHub)
1name: "Service abuse: File sharing impersonation with external SharePoint links"
2description: "Detects inbound messages claiming to share files or invite access, containing SharePoint or OneDrive links from external domains. The rule identifies suspicious sharing notifications where link display text matches the sender's name rather than a legitimate document name, indicating potential impersonation of legitimate file sharing services."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and strings.ilike(subject.subject, "*shared*", "*invit*")
8 and strings.ilike(body.current_thread.text,
9 "*shared a file with you*",
10 "*shared with you*",
11 "*invited you to access a file*"
12 )
13 and not strings.ilike(body.current_thread.text, "invited you to edit")
14 and (
15 any(filter(body.current_thread.links,
16 .href_url.domain.domain not in $tenant_domains
17 and (
18 .href_url.domain.root_domain == "sharepoint.com"
19 or .href_url.domain.root_domain == "1drv.ms"
20 or (
21 .href_url.domain.root_domain == 'mimecastprotect.com'
22 and strings.icontains(.href_url.query_params,
23 '.sharepoint.com'
24 )
25 )
26 )
27 and .display_text != "Open"
28 ),
29 // check if the display_text exactly matches the sender's display name
30 .display_text == sender.display_name
31 )
32 )
33attack_types:
34 - "Credential Phishing"
35tactics_and_techniques:
36 - "Impersonation: Brand"
37 - "Social engineering"
38detection_methods:
39 - "Content analysis"
40 - "URL analysis"
41 - "Sender analysis"
42id: "729661f2-8c11-5e74-8c2b-c20448d66576"