EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Suspicious SharePoint file sharing

This rule detect potential credential phishing leveraging SharePoint file sharing to deliver a PDF, OneNote, or Unknown file type file using indicators such as suspicious sender analysis and link characteristics.

MITRE ATT&CK

T1566T1566.001T1566.002T1598

Detection Query

type.inbound

// Matches the message id observed. DKIM/SPF domains can be custom and therefore are unpredictable.
and strings.starts_with(headers.message_id, '<Share-')
and strings.ends_with(headers.message_id, '@odspnotify>')

// SharePoint email indicators
and strings.like(body.current_thread.text,
                 "*shared a file with you*",
                 "*shared with you*",
                 "*invited you to access a file*"
)
and strings.icontains(subject.subject, "shared")

// sender analysis 
and (
  (
    // if the sender is not the sharepointonline.com, we can use the sender email
    // to see if it is a solicited email
    sender.email.domain.domain != "sharepointonline.com"
    and not profile.by_sender().solicited
  )
  // if it is the sharepointonline sender, use the reply-to header
  or (
    sender.email.domain.domain =~ "sharepointonline.com"
    and length(headers.reply_to) > 0
    and 
    // a newly created domain
    (
      all(headers.reply_to,
          .email.domain.root_domain not in $free_email_providers
          and network.whois(.email.domain).days_old <= 30
          and .email.email != sender.email.email
      )

      // is a free email provider
      or all(headers.reply_to,
             .email.domain.root_domain in $free_email_providers
      )

      //
      // This rule makes use of a beta feature and is subject to change without notice
      // using the beta feature in custom rules is not suggested until it has been formally released
      //
      
      // no outbound emails 
      or not beta.profile.by_reply_to().solicited
    )
    // do not match if the reply_to address has been observed as a reply_to address
    // of a message that has been classified as benign
    and not beta.profile.by_reply_to().any_messages_benign
  )
)
// link logic
and any(body.links,
        .href_url.domain.root_domain == "sharepoint.com"
        // it is a personal share
        and (
          // /g/ is only found with /personal
          strings.icontains(.href_url.path, '/g/personal/')
          or strings.icontains(.href_url.path, '/p/')
        )
        // it is either a OneNote or PDF
        and (
          strings.icontains(.href_url.path, '/:o:/')
          or strings.icontains(.href_url.path, '/:b:/')
          or strings.icontains(.href_url.path, '/:u:/')
        )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Suspicious SharePoint file sharing"
description: "This rule detect potential credential phishing leveraging SharePoint file sharing to deliver a PDF, OneNote, or Unknown file type file using indicators such as suspicious sender analysis and link characteristics."
type: "rule"
severity: "medium"
source: |
  type.inbound
  
  // Matches the message id observed. DKIM/SPF domains can be custom and therefore are unpredictable.
  and strings.starts_with(headers.message_id, '<Share-')
  and strings.ends_with(headers.message_id, '@odspnotify>')
  
  // SharePoint email indicators
  and strings.like(body.current_thread.text,
                   "*shared a file with you*",
                   "*shared with you*",
                   "*invited you to access a file*"
  )
  and strings.icontains(subject.subject, "shared")
  
  // sender analysis 
  and (
    (
      // if the sender is not the sharepointonline.com, we can use the sender email
      // to see if it is a solicited email
      sender.email.domain.domain != "sharepointonline.com"
      and not profile.by_sender().solicited
    )
    // if it is the sharepointonline sender, use the reply-to header
    or (
      sender.email.domain.domain =~ "sharepointonline.com"
      and length(headers.reply_to) > 0
      and 
      // a newly created domain
      (
        all(headers.reply_to,
            .email.domain.root_domain not in $free_email_providers
            and network.whois(.email.domain).days_old <= 30
            and .email.email != sender.email.email
        )
  
        // is a free email provider
        or all(headers.reply_to,
               .email.domain.root_domain in $free_email_providers
        )

        //
        // This rule makes use of a beta feature and is subject to change without notice
        // using the beta feature in custom rules is not suggested until it has been formally released
        //
        
        // no outbound emails 
        or not beta.profile.by_reply_to().solicited
      )
      // do not match if the reply_to address has been observed as a reply_to address
      // of a message that has been classified as benign
      and not beta.profile.by_reply_to().any_messages_benign
    )
  )
  // link logic
  and any(body.links,
          .href_url.domain.root_domain == "sharepoint.com"
          // it is a personal share
          and (
            // /g/ is only found with /personal
            strings.icontains(.href_url.path, '/g/personal/')
            or strings.icontains(.href_url.path, '/p/')
          )
          // it is either a OneNote or PDF
          and (
            strings.icontains(.href_url.path, '/:o:/')
            or strings.icontains(.href_url.path, '/:b:/')
            or strings.icontains(.href_url.path, '/:u:/')
          )
  )

attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Free email provider"
  - "Free file host"
  - "OneNote"
  - "PDF"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "Sender analysis"
  - "URL analysis"
id: "971c3d9c-1605-5307-85e3-c017c6b72abb"