EXPLORE
Sign In
← Back to Explore
sublimelowRule

Link: SharePoint files shared from GoDaddy federated tenants

This matches on inbound Shared File notiifcation emails from Microsoft, where any link to SharePoint contains a default GoDaddy Federated Tenant Name. These have been observed being frequently abused to send credential phishing campaigns.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1036T1027
defense-evasion

Detection Query

type.inbound
// Matches the message id observed. DKIM/SPF domains can be custom and therefore are unpredictable.
and strings.starts_with(headers.message_id, '<Share-')
and strings.ends_with(headers.message_id, '@odspnotify>')

// subject matches the default "shared <filename> with you" format
and strings.ends_with(subject.subject, ' with you')

// any of the links are the default netorgft name from GoDaddy
and any(body.links,
        // Default GoDaddy tenant names
        strings.starts_with(.href_url.domain.subdomain, 'netorg')
        and .href_url.domain.root_domain == "sharepoint.com"
)

// and sender has never had email sent to them
and not profile.by_sender().solicited

// and there haven't been any FPs reported for the sender
and not profile.by_sender().any_messages_benign

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

Tags

Attack surface reduction
Raw Content
name: "Link: SharePoint files shared from GoDaddy federated tenants"
description: "This matches on inbound Shared File notiifcation emails from Microsoft, where any link to SharePoint contains a default GoDaddy Federated Tenant Name. These have been observed being frequently abused to send credential phishing campaigns."
type: "rule"
severity: "low"
source: |
  type.inbound
  // Matches the message id observed. DKIM/SPF domains can be custom and therefore are unpredictable.
  and strings.starts_with(headers.message_id, '<Share-')
  and strings.ends_with(headers.message_id, '@odspnotify>')
  
  // subject matches the default "shared <filename> with you" format
  and strings.ends_with(subject.subject, ' with you')
  
  // any of the links are the default netorgft name from GoDaddy
  and any(body.links,
          // Default GoDaddy tenant names
          strings.starts_with(.href_url.domain.subdomain, 'netorg')
          and .href_url.domain.root_domain == "sharepoint.com"
  )
  
  // and sender has never had email sent to them
  and not profile.by_sender().solicited
  
  // and there haven't been any FPs reported for the sender
  and not profile.by_sender().any_messages_benign
tags:
 - "Attack surface reduction"
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
detection_methods:
  - "Sender analysis"
  - "URL analysis"
id: "0e26cdd2-cf19-53ed-8b30-b3e2e7ea912f"