EXPLORE
← Back to Explore
sublimemediumRule

Service abuse: Citrix ShareFile impersonation via Outlook plugin

Detects inbound messages with Word document attachments containing references to sharefile.com and Outlook plugin system indicators, suggesting abuse of legitimate file sharing services to deliver malicious content.

MITRE ATT&CK

initial-access

Detection Query

type.inbound
and any(attachments,
        .file_type in ("doc", "docx")
        and any(file.explode(.),
                strings.icontains(.scan.strings.raw, "sharefile.com")
                and strings.icontains(.scan.strings.raw,
                                      "src=system-email-outlookplugin-new"
                )
        )
)  

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Service abuse: Citrix ShareFile impersonation via Outlook plugin"
description: "Detects inbound messages with Word document attachments containing references to sharefile.com and Outlook plugin system indicators, suggesting abuse of legitimate file sharing services to deliver malicious content."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and any(attachments,
          .file_type in ("doc", "docx")
          and any(file.explode(.),
                  strings.icontains(.scan.strings.raw, "sharefile.com")
                  and strings.icontains(.scan.strings.raw,
                                        "src=system-email-outlookplugin-new"
                  )
          )
  )  
attack_types:
  - "BEC/Fraud"
  - "Credential Phishing"
tactics_and_techniques:
  - "Free file host"
  - "Social engineering"
detection_methods:
  - "File analysis"
  - "Content analysis"
id: "29f07b46-d766-5aac-a4c3-78ddd0fec481"