← Back to Explore
sublimemediumRule
Impersonation: SharePoint reply header anomaly
Detects messages with SharePoint reply headers that lack standard reply characteristics and contain inconsistencies in thread elements and recipient patterns
Detection Query
type.inbound
// appears to be a reply
and strings.istarts_with(headers.in_reply_to, '<Share-')
and strings.ends_with(headers.in_reply_to, '@odspnotify>')
and any([body.current_thread.text, body.plain.raw],
strings.ilike(.,
"*shared a file with you*",
"*shared with you*",
"*invited you to access a file*",
"*received a document*",
"*shared a document*",
"*shared a new document*",
"*shared this document*"
)
)
and ( // but lacks other reply elements
not (
strings.istarts_with(subject.subject, "RE:")
or strings.istarts_with(subject.subject, "RES:")
or strings.istarts_with(subject.subject, "R:")
or strings.istarts_with(subject.subject, "ODG:")
or strings.istarts_with(subject.subject,
"答复:"
) // response
or strings.istarts_with(subject.subject,
"回复:"
) // reply
or strings.istarts_with(subject.subject, "AW:")
or strings.istarts_with(subject.subject, "TR:")
or strings.istarts_with(subject.subject, "FWD:")
or strings.istarts_with(subject.subject, "Resposta automática:")
or strings.istarts_with(subject.subject, "Automatische Antwort:")
or strings.istarts_with(subject.subject, "Autosvar:")
or regex.icontains(subject.subject,
'^(?:(?:\[[^\]]+\]\s?|EXT(?:ERNAL)?\s?){0,3}|[[:punct:]]{0,3}\w+[[:punct:]]{0,3}\s)(?:r[ev]|fwd?|tr|aw|automat(ic|ed) reply)\s?:'
)
)
// the sender is the recipient
// or the recipients are hidden
or (
(
sender.email.email in map(recipients.to, .email.email)
and sum([
length(recipients.bcc),
length(recipients.to),
length(recipients.cc)
]
) == 1
)
or length(recipients.to) == 0
or all(recipients.to, .email.email is null or .email.email == "")
)
)
// lack a previous thread with sharepoint stuff
and not any([body.current_thread.text, body.html.display_text, body.plain.raw],
3 of (
strings.icontains(., "from:"),
strings.icontains(., "to:"),
strings.icontains(., "sent:"),
strings.icontains(., "date:"),
strings.icontains(., "cc:"),
strings.icontains(., "subject:")
)
and regex.icontains(.,
'(?:from|to|sent|date|cc|subject|wrote):.*shared with you',
'(?:from|to|sent|date|cc|subject|wrote):.*shared the folder .* with you',
'(?:from|to|sent|date|cc|subject|wrote):.*invited you to view a file',
)
)
// negate bouncebacks and undeliverables
and not any(attachments,
.content_type in (
"message/global-delivery-status",
"message/delivery-status"
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Impersonation: SharePoint reply header anomaly"
description: "Detects messages with SharePoint reply headers that lack standard reply characteristics and contain inconsistencies in thread elements and recipient patterns"
type: "rule"
severity: "medium"
source: |
type.inbound
// appears to be a reply
and strings.istarts_with(headers.in_reply_to, '<Share-')
and strings.ends_with(headers.in_reply_to, '@odspnotify>')
and any([body.current_thread.text, body.plain.raw],
strings.ilike(.,
"*shared a file with you*",
"*shared with you*",
"*invited you to access a file*",
"*received a document*",
"*shared a document*",
"*shared a new document*",
"*shared this document*"
)
)
and ( // but lacks other reply elements
not (
strings.istarts_with(subject.subject, "RE:")
or strings.istarts_with(subject.subject, "RES:")
or strings.istarts_with(subject.subject, "R:")
or strings.istarts_with(subject.subject, "ODG:")
or strings.istarts_with(subject.subject,
"答复:"
) // response
or strings.istarts_with(subject.subject,
"回复:"
) // reply
or strings.istarts_with(subject.subject, "AW:")
or strings.istarts_with(subject.subject, "TR:")
or strings.istarts_with(subject.subject, "FWD:")
or strings.istarts_with(subject.subject, "Resposta automática:")
or strings.istarts_with(subject.subject, "Automatische Antwort:")
or strings.istarts_with(subject.subject, "Autosvar:")
or regex.icontains(subject.subject,
'^(?:(?:\[[^\]]+\]\s?|EXT(?:ERNAL)?\s?){0,3}|[[:punct:]]{0,3}\w+[[:punct:]]{0,3}\s)(?:r[ev]|fwd?|tr|aw|automat(ic|ed) reply)\s?:'
)
)
// the sender is the recipient
// or the recipients are hidden
or (
(
sender.email.email in map(recipients.to, .email.email)
and sum([
length(recipients.bcc),
length(recipients.to),
length(recipients.cc)
]
) == 1
)
or length(recipients.to) == 0
or all(recipients.to, .email.email is null or .email.email == "")
)
)
// lack a previous thread with sharepoint stuff
and not any([body.current_thread.text, body.html.display_text, body.plain.raw],
3 of (
strings.icontains(., "from:"),
strings.icontains(., "to:"),
strings.icontains(., "sent:"),
strings.icontains(., "date:"),
strings.icontains(., "cc:"),
strings.icontains(., "subject:")
)
and regex.icontains(.,
'(?:from|to|sent|date|cc|subject|wrote):.*shared with you',
'(?:from|to|sent|date|cc|subject|wrote):.*shared the folder .* with you',
'(?:from|to|sent|date|cc|subject|wrote):.*invited you to view a file',
)
)
// negate bouncebacks and undeliverables
and not any(attachments,
.content_type in (
"message/global-delivery-status",
"message/delivery-status"
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Social engineering"
- "Impersonation: Brand"
- "Evasion"
- "Spoofing"
detection_methods:
- "Header analysis"
- "Content analysis"
- "Sender analysis"
id: "78875848-71ba-5685-ba1c-00c5269cad23"