← Back to Explore
sublimehighRule
Link: Suspicious Sharepoint folder share
Detection Rule matches on messages which contain a link to a sharepoint shared folder containing a single file which is either a .url file, the filename is all caps, or includes call to action wording. These messages must not be sent from sharepoint and are either not solicited or from a new or outlier sender.
Detection Query
type.inbound
and any(filter(body.links,
// folder share
strings.icontains(.href_url.domain.domain, "-my.sharepoint.com")
and strings.icontains(.href_url.url, "/:f:/g/personal")
// remove links which contains the domain sld in the subdomain (tenenat) name
and not any($org_slds,
strings.icontains(..href_url.domain.subdomain, .)
)
),
( // a shared URL file
regex.icontains(ml.link_analysis(., mode="aggressive").final_dom.raw,
'<div role="row" aria-label="[^\"]+.url, url File, Shared'
)
or
// the name of the file is all caps allowing for special charaters too
regex.contains(ml.link_analysis(., mode="aggressive").final_dom.raw,
'<button data-automationid=\"FieldRenderer-name\" data-selection-invoke=\"true\" title="[A-Z0-9_\-\s]+\.[^\"]{3,4}\" role=\"link\" type=\"button\"'
)
or
// includes odd wording
regex.icontains(ml.link_analysis(., mode="aggressive").final_dom.raw,
'<button data-automationid=\"FieldRenderer-name\" data-selection-invoke=\"true\" title="[^\"]*(?:dropbox|docusign|secured?|important|shared?|protected|encrypted|scanne[rd]|_IMG_|IMG[_-](?:\d|\W)|doc(?:ument)?\s?\d+|one_drive|OneDrive|Access|Review Document|Click Here|Download|validate|Confidential(?:ity)?|payment|invoice|INV(?:_|\s)?\d+|INV(?:_|\s)|P[O0]\W+?\d+|Past Due|Remit(?:tance)?|statement|Purchase Order|settlement|contract agreement|Pr[0o]p[0o]sal|contract doc|EFax|\.\.\.)[^\"]*\.[^\"]{3,4}\" role=\"link\" type=\"button\"'
)
)
// and only a single file shared
and strings.icount(ml.link_analysis(., mode="aggressive").final_dom.raw,
'<div role="presentation" data-automationid="ListCell" class="ms-List-cell"'
) == 1
)
// message is not from sharepoint actual
and not (
strings.starts_with(headers.message_id, '<Share-')
and strings.ends_with(headers.message_id, '@odspnotify>')
)
and (
// not solicited
not profile.by_sender().solicited
// new or outlier sender prevalence
or profile.by_sender().prevalence in ("new", "outlier")
// marked as spam and no FPs
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Link: Suspicious Sharepoint folder share"
description: "Detection Rule matches on messages which contain a link to a sharepoint shared folder containing a single file which is either a .url file, the filename is all caps, or includes call to action wording. These messages must not be sent from sharepoint and are either not solicited or from a new or outlier sender."
type: "rule"
severity: "high"
source: |
type.inbound
and any(filter(body.links,
// folder share
strings.icontains(.href_url.domain.domain, "-my.sharepoint.com")
and strings.icontains(.href_url.url, "/:f:/g/personal")
// remove links which contains the domain sld in the subdomain (tenenat) name
and not any($org_slds,
strings.icontains(..href_url.domain.subdomain, .)
)
),
( // a shared URL file
regex.icontains(ml.link_analysis(., mode="aggressive").final_dom.raw,
'<div role="row" aria-label="[^\"]+.url, url File, Shared'
)
or
// the name of the file is all caps allowing for special charaters too
regex.contains(ml.link_analysis(., mode="aggressive").final_dom.raw,
'<button data-automationid=\"FieldRenderer-name\" data-selection-invoke=\"true\" title="[A-Z0-9_\-\s]+\.[^\"]{3,4}\" role=\"link\" type=\"button\"'
)
or
// includes odd wording
regex.icontains(ml.link_analysis(., mode="aggressive").final_dom.raw,
'<button data-automationid=\"FieldRenderer-name\" data-selection-invoke=\"true\" title="[^\"]*(?:dropbox|docusign|secured?|important|shared?|protected|encrypted|scanne[rd]|_IMG_|IMG[_-](?:\d|\W)|doc(?:ument)?\s?\d+|one_drive|OneDrive|Access|Review Document|Click Here|Download|validate|Confidential(?:ity)?|payment|invoice|INV(?:_|\s)?\d+|INV(?:_|\s)|P[O0]\W+?\d+|Past Due|Remit(?:tance)?|statement|Purchase Order|settlement|contract agreement|Pr[0o]p[0o]sal|contract doc|EFax|\.\.\.)[^\"]*\.[^\"]{3,4}\" role=\"link\" type=\"button\"'
)
)
// and only a single file shared
and strings.icount(ml.link_analysis(., mode="aggressive").final_dom.raw,
'<div role="presentation" data-automationid="ListCell" class="ms-List-cell"'
) == 1
)
// message is not from sharepoint actual
and not (
strings.starts_with(headers.message_id, '<Share-')
and strings.ends_with(headers.message_id, '@odspnotify>')
)
and (
// not solicited
not profile.by_sender().solicited
// new or outlier sender prevalence
or profile.by_sender().prevalence in ("new", "outlier")
// marked as spam and no FPs
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Free file host"
- "Evasion"
detection_methods:
- "HTML analysis"
- "Header analysis"
- "Sender analysis"
- "URL analysis"
id: "6168a08c-6f4f-599f-877f-52efbba51cc4"