← Back to Explore
sublimemediumRule
Sharepoint file share with suspicious recipients pattern
This rule detects messages originating from sharepoint.com with undisclosed recipients that are attempting to solicit the user to click a link. This has been observed in the event of an account compromise where the compromised account was utilizing legitimate file sharing services to share malicious links.
Detection Query
type.inbound
// Suspicious recipient pattern
and any(recipients.to, .display_name == "Undisclosed recipients")
and strings.ilike(body.current_thread.text,
"*shared a file with you*",
"*shared with you*",
"*invited you to access a file*"
)
and strings.icontains(subject.subject, "shared")
and any(body.links, .href_url.domain.root_domain == "sharepoint.com")
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Sharepoint file share with suspicious recipients pattern"
description: |
This rule detects messages originating from sharepoint.com with undisclosed recipients that are attempting to solicit the user to click a link.
This has been observed in the event of an account compromise where the compromised account was utilizing legitimate file sharing services to share malicious links.
type: "rule"
severity: "medium"
source: |
type.inbound
// Suspicious recipient pattern
and any(recipients.to, .display_name == "Undisclosed recipients")
and strings.ilike(body.current_thread.text,
"*shared a file with you*",
"*shared with you*",
"*invited you to access a file*"
)
and strings.icontains(subject.subject, "shared")
and any(body.links, .href_url.domain.root_domain == "sharepoint.com")
attack_types:
- "Credential Phishing"
- "Malware/Ransomware"
tactics_and_techniques:
- "Evasion"
detection_methods:
- "Content analysis"
- "Header analysis"
- "URL analysis"
id: "998a0826-e917-5a8f-9e15-0f1ded21bf91"