Suspicious SharePoint File Sharing
This rule detect potential credential phishing leveraging SharePoint file sharing to deliver a PDF, OneNote, or Unknown file type file using indicators such as suspicious sender analysis and link characteristics.
Sublime rule (View on GitHub)
1name: "Suspicious SharePoint File Sharing"
2description: "This rule detect potential credential phishing leveraging SharePoint file sharing to deliver a PDF, OneNote, or Unknown file type file using indicators such as suspicious sender analysis and link characteristics."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7
8 // Matches the message id observed. DKIM/SPF domains can be custom and therefore are unpredictable.
9 and strings.starts_with(headers.message_id, '<Share-')
10 and strings.ends_with(headers.message_id, '@odspnotify>')
11
12 // SharePoint email indicators
13 and strings.like(body.current_thread.text,
14 "*shared a file with you*",
15 "*shared with you*",
16 "*invited you to access a file*"
17 )
18 and strings.icontains(subject.subject, "shared")
19
20 // sender analysis
21 and (
22 (
23 // if the sender is not the sharepointonline.com, we can use the sender email
24 // to see if it is a solicited email
25 sender.email.domain.domain != "sharepointonline.com"
26 and not profile.by_sender().solicited
27 )
28 // if it is the sharepointonline sender, use the reply-to header
29 or (
30 sender.email.domain.domain =~ "sharepointonline.com"
31 and length(headers.reply_to) > 0
32 and
33 // a newly created domain
34 (
35 all(headers.reply_to,
36 .email.domain.root_domain not in $free_email_providers
37 and network.whois(.email.domain).days_old <= 30
38 and .email.email != sender.email.email
39 )
40
41 // is a free email provider
42 or all(headers.reply_to,
43 .email.domain.root_domain in $free_email_providers
44 )
45
46 // no outbound emails
47 or all(headers.reply_to, .email.email not in $recipient_emails)
48 )
49 )
50 )
51 // link logic
52 and any(body.links,
53 .href_url.domain.root_domain == "sharepoint.com"
54 // it is a personal share
55 and (
56 // /g/ is only found with /personal
57 strings.icontains(.href_url.path, '/g/personal/')
58 or strings.icontains(.href_url.path, '/p/')
59 )
60 // it is either a OneNote or PDF
61 and (
62 strings.icontains(.href_url.path, '/:o:/')
63 or strings.icontains(.href_url.path, '/:b:/')
64 or strings.icontains(.href_url.path, '/:u:/')
65 )
66 )
67
68attack_types:
69 - "Credential Phishing"
70tactics_and_techniques:
71 - "Free email provider"
72 - "Free file host"
73 - "OneNote"
74 - "PDF"
75detection_methods:
76 - "Content analysis"
77 - "Header analysis"
78 - "Sender analysis"
79 - "URL analysis"
80id: "971c3d9c-1605-5307-85e3-c017c6b72abb"