Suspicious SharePoint File Sharing

This rule detect potential credential phishing leveraging SharePoint file sharing to deliver a PDF, OneNote, or Unknown file type file using indicators such as suspicious sender analysis and link characteristics.

Sublime rule (View on GitHub)

 1name: "Suspicious SharePoint File Sharing"
 2description: "This rule detect potential credential phishing leveraging SharePoint file sharing to deliver a PDF, OneNote, or Unknown file type file using indicators such as suspicious sender analysis and link characteristics."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  
 8  // Matches the message id observed. DKIM/SPF domains can be custom and therefore are unpredictable.
 9  and strings.starts_with(headers.message_id, '<Share-')
10  and strings.ends_with(headers.message_id, '@odspnotify>')
11  
12  // SharePoint email indicators
13  and strings.like(body.current_thread.text,
14                   "*shared a file with you*",
15                   "*shared with you*",
16                   "*invited you to access a file*"
17  )
18  and strings.icontains(subject.subject, "shared")
19  
20  // sender analysis 
21  and (
22    (
23      // if the sender is not the sharepointonline.com, we can use the sender email
24      // to see if it is a solicited email
25      sender.email.domain.domain != "sharepointonline.com"
26      and not profile.by_sender().solicited
27    )
28    // if it is the sharepointonline sender, use the reply-to header
29    or (
30      sender.email.domain.domain =~ "sharepointonline.com"
31      and length(headers.reply_to) > 0
32      and 
33      // a newly created domain
34      (
35        all(headers.reply_to,
36            .email.domain.root_domain not in $free_email_providers
37            and network.whois(.email.domain).days_old <= 30
38            and .email.email != sender.email.email
39        )
40  
41        // is a free email provider
42        or all(headers.reply_to,
43               .email.domain.root_domain in $free_email_providers
44        )
45  
46        // no outbound emails 
47        or all(headers.reply_to, .email.email not in $recipient_emails)
48      )
49    )
50  )
51  // link logic
52  and any(body.links,
53          .href_url.domain.root_domain == "sharepoint.com"
54          // it is a personal share
55          and (
56            // /g/ is only found with /personal
57            strings.icontains(.href_url.path, '/g/personal/')
58            or strings.icontains(.href_url.path, '/p/')
59          )
60          // it is either a OneNote or PDF
61          and (
62            strings.icontains(.href_url.path, '/:o:/')
63            or strings.icontains(.href_url.path, '/:b:/')
64            or strings.icontains(.href_url.path, '/:u:/')
65          )
66  )  
67
68attack_types:
69  - "Credential Phishing"
70tactics_and_techniques:
71  - "Free email provider"
72  - "Free file host"
73  - "OneNote"
74  - "PDF"
75detection_methods:
76  - "Content analysis"
77  - "Header analysis"
78  - "Sender analysis"
79  - "URL analysis"
80id: "971c3d9c-1605-5307-85e3-c017c6b72abb"
to-top