EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Link: Uncommon SharePoint document type with sender's display name

Detects SharePoint file shares containing personal OneNote or PDF files where the file name matches the sender's display name.

MITRE ATT&CK

T1566T1566.001T1566.002T1598
initial-access

Detection Query

type.inbound

// Matches the message id observed. DKIM/SPF domains can be custom and therefore are unpredictable.
and (
  (
    strings.starts_with(headers.message_id, '<Share-')
    and strings.ends_with(headers.message_id, '@odspnotify>')
  )
  or (
    any(headers.hops,
        any(.fields,
            .name == "X-Google-Original-Message-ID"
            and strings.starts_with(.value, '<Share-')
            and strings.ends_with(.value, '@odspnotify>')
        )
    )
  )
)

// SharePoint email indicators
and strings.like(body.current_thread.text,
                 "*shared a file with you*",
                 "*shared with you*",
                 "*invited you to access a file*"
)
and strings.icontains(subject.subject, "shared")

// file name is the sender's name
and any(html.xpath(body.html,
                   '//table[@role="presentation"]//tr[last()]//text()'
        ).nodes,
        .display_text =~ sender.display_name
)

// link logic
and any(body.links,
        .href_url.domain.root_domain == "sharepoint.com"
        // it is a personal share
        and (
          // /g/ is only found with /personal
          strings.icontains(.href_url.path, '/g/personal/')
          or strings.icontains(.href_url.path, '/p/')
        )
        // it is either a OneNote or PDF
        and (
          strings.icontains(.href_url.path, '/:o:/')
          or strings.icontains(.href_url.path, '/:b:/')
          or strings.icontains(.href_url.path, '/:u:/')
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

Tags

Attack surface reduction
Raw Content
name: "Link: Uncommon SharePoint document type with sender's display name"
description: "Detects SharePoint file shares containing personal OneNote or PDF files where the file name matches the sender's display name."
type: "rule"
severity: "medium"
source: |
  type.inbound
  
  // Matches the message id observed. DKIM/SPF domains can be custom and therefore are unpredictable.
  and (
    (
      strings.starts_with(headers.message_id, '<Share-')
      and strings.ends_with(headers.message_id, '@odspnotify>')
    )
    or (
      any(headers.hops,
          any(.fields,
              .name == "X-Google-Original-Message-ID"
              and strings.starts_with(.value, '<Share-')
              and strings.ends_with(.value, '@odspnotify>')
          )
      )
    )
  )
  
  // SharePoint email indicators
  and strings.like(body.current_thread.text,
                   "*shared a file with you*",
                   "*shared with you*",
                   "*invited you to access a file*"
  )
  and strings.icontains(subject.subject, "shared")
  
  // file name is the sender's name
  and any(html.xpath(body.html,
                     '//table[@role="presentation"]//tr[last()]//text()'
          ).nodes,
          .display_text =~ sender.display_name
  )
  
  // link logic
  and any(body.links,
          .href_url.domain.root_domain == "sharepoint.com"
          // it is a personal share
          and (
            // /g/ is only found with /personal
            strings.icontains(.href_url.path, '/g/personal/')
            or strings.icontains(.href_url.path, '/p/')
          )
          // it is either a OneNote or PDF
          and (
            strings.icontains(.href_url.path, '/:o:/')
            or strings.icontains(.href_url.path, '/:b:/')
            or strings.icontains(.href_url.path, '/:u:/')
          )
  )
tags:
 - "Attack surface reduction"
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Social engineering"
  - "OneNote"
  - "PDF"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "HTML analysis"
  - "URL analysis"
id: "02d290b2-9cf5-5699-ac0c-e1e595d74d57"