← Back to Explore
sublimemediumRule
Brand Impersonation: ShareFile
This detection rule matches on the impersonation of the file sharing site ShareFile. Threat actors have been observed abusing this brand to deliver messages with links to crediential phishing pages.
Detection Query
type.inbound
and (
0 < length(body.links) < 100
or 0 < length(filter(attachments, .file_type in $file_types_images)) <= 5
or length(filter(attachments, .file_type == "pdf")) == 1
)
and (
strings.icontains(sender.display_name, 'ShareFile')
or strings.icontains(subject.subject, 'ShareFile Attachments')
or strings.ilevenshtein(sender.display_name, 'ShareFile') <= 2
or strings.icontains(sender.email.domain.domain, 'sharefile')
// message body
or strings.icontains(body.current_thread.text, 'ShareFile Attachments')
or strings.icontains(body.current_thread.text,
'Click here to change how often ShareFile sends emails'
)
or strings.icontains(body.current_thread.text,
'uses ShareFile to share documents securely'
)
or strings.icontains(body.current_thread.text,
'ShareFile is a tool for sending, receiving, and organizing your business files online'
)
or regex.icontains(body.current_thread.text,
'shared a (?:file|document)\s*(?:\w+\s+){0,3}\s*via sharefile'
)
or strings.icontains(body.current_thread.text, 'Powered By Citrix ShareFile')
or regex.icontains(body.current_thread.text, '© 20\d\d ShareFile')
// any of the attached images contain the same message body wording
or (
0 < length(attachments) <= 5
and (
all(attachments, .file_type in $file_types_images)
or (length(filter(attachments, .file_type == "pdf")) == 1)
)
and any(attachments,
any(file.explode(.),
strings.icontains(.scan.ocr.raw, 'ShareFile Attachments')
or strings.icontains(.scan.ocr.raw,
'Click here to change how often ShareFile sends emails'
)
or strings.icontains(.scan.ocr.raw,
'uses ShareFile to share documents securely'
)
or strings.icontains(.scan.ocr.raw,
'ShareFile is a tool for sending, receiving, and organizing your business files online'
)
or strings.icontains(.scan.ocr.raw,
'Powered By Citrix ShareFile'
)
or regex.icontains(body.current_thread.text,
'© 20\d\d ShareFile'
)
)
)
)
)
and not (
sender.email.domain.root_domain in (
'sf-notifications.com',
'sharefile.com',
'cloud.com', // previous parent org of ShareFile
'progress.com' // progress.com is the parent org of ShareFile
)
and headers.auth_summary.dmarc.pass
)
// ShareFile also allows you customers to send from customer domains/mail servers
// https://docs.sharefile.com/en-us/sharefile/configure/admin-settings/advanced-preferences.html#smtp-server
// when this happens, we cannot depend on the sender.email.domain.root_domain
// there does appear to be a custom header value added though.
and not (
any(headers.hops,
.index == 0
and any(.fields,
(
.name =~ "X-SMTPAPI"
and strings.icontains(.value, 'sf_event_id')
)
or .name in~ ("x-sf-messageclass", "x-sf-uri")
)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand Impersonation: ShareFile"
description: "This detection rule matches on the impersonation of the file sharing site ShareFile. Threat actors have been observed abusing this brand to deliver messages with links to crediential phishing pages. "
type: "rule"
severity: "medium"
source: |
type.inbound
and (
0 < length(body.links) < 100
or 0 < length(filter(attachments, .file_type in $file_types_images)) <= 5
or length(filter(attachments, .file_type == "pdf")) == 1
)
and (
strings.icontains(sender.display_name, 'ShareFile')
or strings.icontains(subject.subject, 'ShareFile Attachments')
or strings.ilevenshtein(sender.display_name, 'ShareFile') <= 2
or strings.icontains(sender.email.domain.domain, 'sharefile')
// message body
or strings.icontains(body.current_thread.text, 'ShareFile Attachments')
or strings.icontains(body.current_thread.text,
'Click here to change how often ShareFile sends emails'
)
or strings.icontains(body.current_thread.text,
'uses ShareFile to share documents securely'
)
or strings.icontains(body.current_thread.text,
'ShareFile is a tool for sending, receiving, and organizing your business files online'
)
or regex.icontains(body.current_thread.text,
'shared a (?:file|document)\s*(?:\w+\s+){0,3}\s*via sharefile'
)
or strings.icontains(body.current_thread.text, 'Powered By Citrix ShareFile')
or regex.icontains(body.current_thread.text, '© 20\d\d ShareFile')
// any of the attached images contain the same message body wording
or (
0 < length(attachments) <= 5
and (
all(attachments, .file_type in $file_types_images)
or (length(filter(attachments, .file_type == "pdf")) == 1)
)
and any(attachments,
any(file.explode(.),
strings.icontains(.scan.ocr.raw, 'ShareFile Attachments')
or strings.icontains(.scan.ocr.raw,
'Click here to change how often ShareFile sends emails'
)
or strings.icontains(.scan.ocr.raw,
'uses ShareFile to share documents securely'
)
or strings.icontains(.scan.ocr.raw,
'ShareFile is a tool for sending, receiving, and organizing your business files online'
)
or strings.icontains(.scan.ocr.raw,
'Powered By Citrix ShareFile'
)
or regex.icontains(body.current_thread.text,
'© 20\d\d ShareFile'
)
)
)
)
)
and not (
sender.email.domain.root_domain in (
'sf-notifications.com',
'sharefile.com',
'cloud.com', // previous parent org of ShareFile
'progress.com' // progress.com is the parent org of ShareFile
)
and headers.auth_summary.dmarc.pass
)
// ShareFile also allows you customers to send from customer domains/mail servers
// https://docs.sharefile.com/en-us/sharefile/configure/admin-settings/advanced-preferences.html#smtp-server
// when this happens, we cannot depend on the sender.email.domain.root_domain
// there does appear to be a custom header value added though.
and not (
any(headers.hops,
.index == 0
and any(.fields,
(
.name =~ "X-SMTPAPI"
and strings.icontains(.value, 'sf_event_id')
)
or .name in~ ("x-sf-messageclass", "x-sf-uri")
)
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Evasion"
- "Lookalike domain"
detection_methods:
- "Header analysis"
- "Content analysis"
- "Sender analysis"
id: "f8330307-67fe-5b49-b850-bfdc17955aea"