Link: Secure SharePoint file share from new or unusual sender

name: "Link: Secure SharePoint file share from new or unusual sender"
description: "This ASR rule detects the use of secure SharePoint links which require recipient verifcation before allowing access to the shared file. This has been observed as a method of evading automated analysis of the shared files' content."
type: "rule"
severity: "low"
source: |
  type.inbound
  // SharePoint email indicators
  and strings.like(body.current_thread.text,
                   "*shared a file with you*",
                   "*shared with you*",
                   "*invited you to access a file*"
  )
  and strings.icontains(subject.subject, "shared")
  // the Sharepoint file has been "Protected"
  and any([body.plain.raw, body.current_thread.text],
          strings.icontains(.,
                            "This link only works for the direct recipients of this message"
          )
  )
  and any(body.links, .href_url.domain.root_domain == "sharepoint.com")
  
  // sender is uncommon
  and (
    (
      profile.by_sender_email().prevalence in ("new", "rare", "outlier")
      and not profile.by_sender_email().solicited
    )
    // or the reply-to address has never sent an email to the org
    or (
      sender.email.domain.root_domain == "sharepointonline.com"
      and beta.profile.by_reply_to().prevalence == "new"
    )
    // or the message contains suspect language
    or (regex.icontains(body.current_thread.text, '(kindly)'))
  )
tags:
 - "Attack surface reduction"
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Free file host"
  - "Evasion"
detection_methods:
  - "Content analysis"
  - "Sender analysis"
id: "74ed3020-50f8-5237-8a4d-bd7665a815aa"