EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Link: SharePoint OneNote or PDF link with self sender behavior

Detects messages where the sender and recipient are the same address, containing SharePoint links to OneNote or PDF files, with minimal attachments and non-standard message IDs indicating potential abuse of SharePoint services for malicious purposes.

MITRE ATT&CK

T1566T1566.001T1566.002T1598T1036T1027
defense-evasion

Detection Query

type.inbound
// self sender
and length(recipients.to) == 1
and recipients.to[0].email.email == sender.email.email
// single link to sharepoint
and length(filter(body.current_thread.links,
                  .href_url.domain.root_domain == 'sharepoint.com'
                  // it is either a OneNote or PDF file, or unknown
                  and regex.icontains(.href_url.path,
                                      '\/:[obu]:\/(?:p|g\/personal)'
                  )
           )
) == 1
// only one link to sharepoint
and length(filter(body.current_thread.links,
                  .href_url.domain.root_domain == 'sharepoint.com'
           )
) == 1
// not sent via sharepoint
and not strings.starts_with(headers.message_id, '<Share-')
and not strings.ends_with(headers.message_id, '@odspnotify>')
// 0 or 1 attachments (this reduces FPs which had many attachments)
and length(attachments) - length(filter(attachments,
                                        strings.contains(body.html.raw,
                                                         strings.concat('src="cid:',
                                                                        .content_id
                                                         )
                                        )
                                 )
) <= 1

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

Tags

Attack surface reduction
Raw Content
name: "Link: SharePoint OneNote or PDF link with self sender behavior"
description: "Detects messages where the sender and recipient are the same address, containing SharePoint links to OneNote or PDF files, with minimal attachments and non-standard message IDs indicating potential abuse of SharePoint services for malicious purposes."
type: "rule"
severity: "medium"
source: |
  type.inbound
  // self sender
  and length(recipients.to) == 1
  and recipients.to[0].email.email == sender.email.email
  // single link to sharepoint
  and length(filter(body.current_thread.links,
                    .href_url.domain.root_domain == 'sharepoint.com'
                    // it is either a OneNote or PDF file, or unknown
                    and regex.icontains(.href_url.path,
                                        '\/:[obu]:\/(?:p|g\/personal)'
                    )
             )
  ) == 1
  // only one link to sharepoint
  and length(filter(body.current_thread.links,
                    .href_url.domain.root_domain == 'sharepoint.com'
             )
  ) == 1
  // not sent via sharepoint
  and not strings.starts_with(headers.message_id, '<Share-')
  and not strings.ends_with(headers.message_id, '@odspnotify>')
  // 0 or 1 attachments (this reduces FPs which had many attachments)
  and length(attachments) - length(filter(attachments,
                                          strings.contains(body.html.raw,
                                                           strings.concat('src="cid:',
                                                                          .content_id
                                                           )
                                          )
                                   )
  ) <= 1
tags:
  - "Attack surface reduction"
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
  - "Free file host"
  - "OneNote"
  - "PDF"
detection_methods:
  - "Header analysis"
  - "URL analysis"
  - "Sender analysis"
id: "588e7203-98f8-5ab0-a89a-803ae377bda5"