← Back to Explore
sublimemediumRule
Link: SharePoint filename matches org name
Detects messages claiming to share files via SharePoint or OneDrive where the shared file name pattern matches the organizational naming pattern, indicating potential abuse of legitimate file sharing services to impersonate organizations.
Detection Query
type.inbound
and strings.ilike(subject.subject, "*shared*", "*invit*")
and strings.ilike(body.current_thread.text,
"*shared a file with you*",
"*shared with you*",
"*invited you to access a file*"
)
and not strings.ilike(body.current_thread.text, "invited you to edit")
and (
// use the display text of the link to determine the name of the file
any(filter(body.current_thread.links,
.href_url.domain.domain not in $tenant_domains
and (
.href_url.domain.root_domain == "sharepoint.com"
or .href_url.domain.root_domain == "1drv.ms"
// handle urls with mimecast rewriting
or (
.href_url.domain.root_domain == 'mimecastprotect.com'
and strings.icontains(.href_url.query_params,
'.sharepoint.com'
)
)
)
and .display_text != "Open"
),
.display_text =~ sender.email.domain.sld
or any(regex.extract(body.current_thread.text,
"generated through (?P<org_name>[^']+)'s use"
),
// the document name is the same as the org name as determined by the footer
// this checks that the display_text starts with the org_name
strings.istarts_with(.named_groups["org_name"], ..display_text)
// this checks that the org_name is a substring of the display_text
// it is in effect the "reverse" of the above check
or (
(
strings.istarts_with(..display_text, .named_groups["org_name"])
or strings.iends_with(..display_text,
.named_groups["org_name"]
)
)
and (
length(.named_groups["org_name"]) / (
length(..display_text) * 1.0
)
) > 0.45
)
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Link: SharePoint filename matches org name"
description: "Detects messages claiming to share files via SharePoint or OneDrive where the shared file name pattern matches the organizational naming pattern, indicating potential abuse of legitimate file sharing services to impersonate organizations."
type: "rule"
severity: "medium"
source: |
type.inbound
and strings.ilike(subject.subject, "*shared*", "*invit*")
and strings.ilike(body.current_thread.text,
"*shared a file with you*",
"*shared with you*",
"*invited you to access a file*"
)
and not strings.ilike(body.current_thread.text, "invited you to edit")
and (
// use the display text of the link to determine the name of the file
any(filter(body.current_thread.links,
.href_url.domain.domain not in $tenant_domains
and (
.href_url.domain.root_domain == "sharepoint.com"
or .href_url.domain.root_domain == "1drv.ms"
// handle urls with mimecast rewriting
or (
.href_url.domain.root_domain == 'mimecastprotect.com'
and strings.icontains(.href_url.query_params,
'.sharepoint.com'
)
)
)
and .display_text != "Open"
),
.display_text =~ sender.email.domain.sld
or any(regex.extract(body.current_thread.text,
"generated through (?P<org_name>[^']+)'s use"
),
// the document name is the same as the org name as determined by the footer
// this checks that the display_text starts with the org_name
strings.istarts_with(.named_groups["org_name"], ..display_text)
// this checks that the org_name is a substring of the display_text
// it is in effect the "reverse" of the above check
or (
(
strings.istarts_with(..display_text, .named_groups["org_name"])
or strings.iends_with(..display_text,
.named_groups["org_name"]
)
)
and (
length(.named_groups["org_name"]) / (
length(..display_text) * 1.0
)
) > 0.45
)
)
)
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Employee"
- "Social engineering"
detection_methods:
- "Content analysis"
- "URL analysis"
id: "cb954726-12ac-5956-b4d1-55fcf3b4bd95"