← Back to Explore
sublimehighRule
Credential phishing: Onedrive impersonation
This rule detects messages impersonating Microsoft's OneDrive service with medium to high credential theft language in the current thread. The subject is inspected for one drive language, with additional checks for free_subdomain hosted links, additional suspicious subject language or suspicious display text language.
Detection Query
type.inbound
// one drive is found in the sender display name or sender local part
and (
(
regex.icontains(sender.display_name, '[0o]ne\s?dr[il1]ve')
or regex.icontains(sender.email.local_part, '[0o]ne\s?dr[il1]ve')
or 0 < strings.ilevenshtein(strings.replace_confusables(sender.display_name),
"one?drive"
) < 2
or any(attachments,
regex.icontains(.file_name, '[0o]ne\s?dr[il1]ve')
and not any(file.explode(.),
any(.scan.exiftool.fields,
.key == "Model"
or (
.key == "Software"
and strings.starts_with(.value, "Android")
)
)
// exclude images taken with mobile cameras and screenshots from Apple
or any(.scan.exiftool.fields,
.key == "DeviceManufacturer"
and .value == "Apple Computer Inc."
)
)
)
)
or regex.imatch(body.current_thread.text, '[0o]ne\s?dr[il1]ve.*')
// or one drive is in the subject with a freefile host, additional suspicious language, or suspicious display text
or (
regex.icontains(strings.replace_confusables(subject.subject),
'[0o]ne\s?dr[il1]ve'
)
and (
any(body.links,
.href_url.domain.root_domain in $free_subdomain_hosts
and .href_url.domain.subdomain is not null
and .href_url.domain.subdomain != "www"
)
or regex.contains(subject.subject, '(shared.{0,30}document)')
or any(body.links,
regex.icontains(.display_text,
"((view|show|access).(?:report|document)|review doc|view doc|view.attached)"
)
)
)
)
or (
any(beta.ml_topic(body.current_thread.text).topics,
.name == "File Sharing and Cloud Services" and .confidence == "high"
)
// more than half of the links with display text contain the keyword "onedrive"
and ratio(filter(body.links, .display_text is not null),
regex.icontains(.display_text, '[0o]ne\s?dr[il1]ve')
) > 0.5
)
)
// and body language is med/high confidence cred theft
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
)
and length(body.links) < 10
and sender.email.domain.root_domain not in (
"bing.com",
"microsoft.com",
"microsoftonline.com",
"microsoftsupport.com",
"microsoft365.com",
"office.com",
"onedrive.com",
"sharepointonline.com",
"yammer.com",
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
// excludes docusign senders that contain "via" in the display name
and not (
any(headers.hops,
any(.fields,
.name == "X-Api-Host" and strings.ends_with(.value, "docusign.net")
)
)
and strings.contains(sender.display_name, "via")
)
and not profile.by_sender().any_messages_benign
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Credential phishing: Onedrive impersonation"
description: "This rule detects messages impersonating Microsoft's OneDrive service with medium to high credential theft language in the current thread. The subject is inspected for one drive language, with additional checks for free_subdomain hosted links, additional suspicious subject language or suspicious display text language."
type: "rule"
severity: "high"
source: |
type.inbound
// one drive is found in the sender display name or sender local part
and (
(
regex.icontains(sender.display_name, '[0o]ne\s?dr[il1]ve')
or regex.icontains(sender.email.local_part, '[0o]ne\s?dr[il1]ve')
or 0 < strings.ilevenshtein(strings.replace_confusables(sender.display_name),
"one?drive"
) < 2
or any(attachments,
regex.icontains(.file_name, '[0o]ne\s?dr[il1]ve')
and not any(file.explode(.),
any(.scan.exiftool.fields,
.key == "Model"
or (
.key == "Software"
and strings.starts_with(.value, "Android")
)
)
// exclude images taken with mobile cameras and screenshots from Apple
or any(.scan.exiftool.fields,
.key == "DeviceManufacturer"
and .value == "Apple Computer Inc."
)
)
)
)
or regex.imatch(body.current_thread.text, '[0o]ne\s?dr[il1]ve.*')
// or one drive is in the subject with a freefile host, additional suspicious language, or suspicious display text
or (
regex.icontains(strings.replace_confusables(subject.subject),
'[0o]ne\s?dr[il1]ve'
)
and (
any(body.links,
.href_url.domain.root_domain in $free_subdomain_hosts
and .href_url.domain.subdomain is not null
and .href_url.domain.subdomain != "www"
)
or regex.contains(subject.subject, '(shared.{0,30}document)')
or any(body.links,
regex.icontains(.display_text,
"((view|show|access).(?:report|document)|review doc|view doc|view.attached)"
)
)
)
)
or (
any(beta.ml_topic(body.current_thread.text).topics,
.name == "File Sharing and Cloud Services" and .confidence == "high"
)
// more than half of the links with display text contain the keyword "onedrive"
and ratio(filter(body.links, .display_text is not null),
regex.icontains(.display_text, '[0o]ne\s?dr[il1]ve')
) > 0.5
)
)
// and body language is med/high confidence cred theft
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
.name == "cred_theft" and .confidence in ("medium", "high")
)
)
and length(body.links) < 10
and sender.email.domain.root_domain not in (
"bing.com",
"microsoft.com",
"microsoftonline.com",
"microsoftsupport.com",
"microsoft365.com",
"office.com",
"onedrive.com",
"sharepointonline.com",
"yammer.com",
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
// excludes docusign senders that contain "via" in the display name
and not (
any(headers.hops,
any(.fields,
.name == "X-Api-Host" and strings.ends_with(.value, "docusign.net")
)
)
and strings.contains(sender.display_name, "via")
)
and not profile.by_sender().any_messages_benign
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Free subdomain host"
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Natural Language Understanding"
- "URL analysis"
id: "1f990c92-a6d5-5a0b-9462-ac469a8d556e"