← Back to Explore
sublimelowRule
Attachment: EML with SharePoint files shared from GoDaddy federated tenants
Detects EML attachments containing SharePoint links with 'netorg' subdomain patterns, which may indicate suspicious redirection tactics or domain abuse.
Detection Query
type.inbound
and length(filter(attachments,
.file_extension == "eml" or .content_type == "message/rfc822"
)
) == 1
and any(attachments,
any(file.parse_eml(.).body.links,
strings.starts_with(.href_url.domain.subdomain, 'netorg')
and .href_url.domain.root_domain == "sharepoint.com"
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: EML with SharePoint files shared from GoDaddy federated tenants"
description: "Detects EML attachments containing SharePoint links with 'netorg' subdomain patterns, which may indicate suspicious redirection tactics or domain abuse."
type: "rule"
severity: "low"
source: |
type.inbound
and length(filter(attachments,
.file_extension == "eml" or .content_type == "message/rfc822"
)
) == 1
and any(attachments,
any(file.parse_eml(.).body.links,
strings.starts_with(.href_url.domain.subdomain, 'netorg')
and .href_url.domain.root_domain == "sharepoint.com"
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Evasion"
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "File analysis"
- "URL analysis"
- "Content analysis"
id: "02c1f590-40f0-5db3-a8de-26bc1c1d9fc0"