Sharepoint file share with suspicious recipients pattern

This rule detects messages originating from sharepoint.com with undisclosed recipients that are attempting to solicit the user to click a link. This has been observed in the event of an account compromise where the compromised account was utilizing legitimate file sharing services to share malicious links.

Sublime rule (View on GitHub)

 1name: "Sharepoint file share with suspicious recipients pattern"
 2description: |
 3  This rule detects messages originating from sharepoint.com with undisclosed recipients that are attempting to solicit the user to click a link.
 4  This has been observed in the event of an account compromise where the compromised account was utilizing legitimate file sharing services to share malicious links.  
 5type: "rule"
 6severity: "medium"
 7source: |
 8  type.inbound
 9
10  // Suspicious recipient pattern
11  and any(recipients.to, .display_name == "Undisclosed recipients")
12  and strings.ilike(body.current_thread.text,
13                    "*shared a file with you*",
14                    "*shared with you*",
15                    "*invited you to access a file*"
16  )
17  and strings.icontains(subject.subject, "shared")
18  and any(body.links, .href_url.domain.root_domain == "sharepoint.com")  
19attack_types:
20  - "Credential Phishing"
21  - "Malware/Ransomware"
22tactics_and_techniques:
23  - "Evasion"
24detection_methods:
25  - "Content analysis"
26  - "Header analysis"
27  - "URL analysis"
28id: "998a0826-e917-5a8f-9e15-0f1ded21bf91"
to-top