Suspicious SharePoint File Sharing

calendar Apr 11, 2025  ·
Share on: linkedin copy

This rule detect potential credential phishing leveraging SharePoint file sharing to deliver a PDF, OneNote, or Unknown file type file using indicators such as suspicious sender analysis and link characteristics.

Sublime rule (View on GitHub)

 1name: "Suspicious SharePoint File Sharing"
 2description: "This rule detect potential credential phishing leveraging SharePoint file sharing to deliver a PDF, OneNote, or Unknown file type file using indicators such as suspicious sender analysis and link characteristics."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  
 8  // Matches the message id observed. DKIM/SPF domains can be custom and therefore are unpredictable.
 9  and strings.starts_with(headers.message_id, '<Share-')
10  and strings.ends_with(headers.message_id, '@odspnotify>')
11  
12  // SharePoint email indicators
13  and strings.like(body.current_thread.text,
14                   "*shared a file with you*",
15                   "*shared with you*",
16                   "*invited you to access a file*"
17  )
18  and strings.icontains(subject.subject, "shared")
19  
20  // sender analysis 
21  and (
22    (
23      // if the sender is not the sharepointonline.com, we can use the sender email
24      // to see if it is a solicited email
25      sender.email.domain.domain != "sharepointonline.com"
26      and not profile.by_sender().solicited
27    )
28    // if it is the sharepointonline sender, use the reply-to header
29    or (
30      sender.email.domain.domain =~ "sharepointonline.com"
31      and length(headers.reply_to) > 0
32      and 
33      // a newly created domain
34      (
35        all(headers.reply_to,
36            .email.domain.root_domain not in $free_email_providers
37            and network.whois(.email.domain).days_old <= 30
38            and .email.email != sender.email.email
39        )
40  
41        // is a free email provider
42        or all(headers.reply_to,
43               .email.domain.root_domain in $free_email_providers
44        )
45
46        //
47        // This rule makes use of a beta feature and is subject to change without notice
48        // using the beta feature in custom rules is not suggested until it has been formally released
49        //
50        
51        // no outbound emails 
52        or not beta.profile.by_reply_to().solicited
53      )
54      // do not match if the reply_to address has been observed as a reply_to address
55      // of a message that has been classified as benign
56      and not beta.profile.by_reply_to().any_messages_benign
57    )
58  )
59  // link logic
60  and any(body.links,
61          .href_url.domain.root_domain == "sharepoint.com"
62          // it is a personal share
63          and (
64            // /g/ is only found with /personal
65            strings.icontains(.href_url.path, '/g/personal/')
66            or strings.icontains(.href_url.path, '/p/')
67          )
68          // it is either a OneNote or PDF
69          and (
70            strings.icontains(.href_url.path, '/:o:/')
71            or strings.icontains(.href_url.path, '/:b:/')
72            or strings.icontains(.href_url.path, '/:u:/')
73          )
74  )  
75
76attack_types:
77  - "Credential Phishing"
78tactics_and_techniques:
79  - "Free email provider"
80  - "Free file host"
81  - "OneNote"
82  - "PDF"
83detection_methods:
84  - "Content analysis"
85  - "Header analysis"
86  - "Sender analysis"
87  - "URL analysis"
88id: "971c3d9c-1605-5307-85e3-c017c6b72abb"
to-top