← Back to Explore
sublimemediumRule
Service abuse: Citrix ShareFile impersonation via Outlook plugin
Detects inbound messages with Word document attachments containing references to sharefile.com and Outlook plugin system indicators, suggesting abuse of legitimate file sharing services to deliver malicious content.
Detection Query
type.inbound
and any(attachments,
.file_type in ("doc", "docx")
and any(file.explode(.),
strings.icontains(.scan.strings.raw, "sharefile.com")
and strings.icontains(.scan.strings.raw,
"src=system-email-outlookplugin-new"
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Service abuse: Citrix ShareFile impersonation via Outlook plugin"
description: "Detects inbound messages with Word document attachments containing references to sharefile.com and Outlook plugin system indicators, suggesting abuse of legitimate file sharing services to deliver malicious content."
type: "rule"
severity: "medium"
source: |
type.inbound
and any(attachments,
.file_type in ("doc", "docx")
and any(file.explode(.),
strings.icontains(.scan.strings.raw, "sharefile.com")
and strings.icontains(.scan.strings.raw,
"src=system-email-outlookplugin-new"
)
)
)
attack_types:
- "BEC/Fraud"
- "Credential Phishing"
tactics_and_techniques:
- "Free file host"
- "Social engineering"
detection_methods:
- "File analysis"
- "Content analysis"
id: "29f07b46-d766-5aac-a4c3-78ddd0fec481"