← Back to Explore
sublimelowRule
Link: Suspicious SharePoint document name
The detection rule is intended to match on emails sent from SharePoint indicating a shared file to the recipient that contain suspicious content within the document name. The Link display text is leveraged to identify the name of the shared file.
Detection Query
type.inbound
and strings.ilike(subject.subject, "*shared*", "*invit*")
and strings.ilike(body.current_thread.text,
"*shared a file with you*",
"*shared with you*",
"*invited you to access a file*"
)
and not strings.ilike(body.current_thread.text, "invited you to edit")
and (
// use the display text of the link to determine the name of the file
any(filter(body.links,
(
.href_url.domain.root_domain == "sharepoint.com"
or .href_url.domain.root_domain == "1drv.ms"
// handle urls with mimecast rewriting
or (
.href_url.domain.root_domain == 'mimecastprotect.com'
and strings.icontains(.href_url.query_params,
'.sharepoint.com'
)
)
)
and .display_text != "Open"
and not .href_url.domain.domain in $tenant_domains
),
// the file name does not include lowercase letters, while allowing for non letter chars
regex.match(.display_text, '^[^a-z]+$')
// file sharing service references
or strings.icontains(.display_text, 'dropbox')
or strings.icontains(.display_text, 'docusign')
// file name lures
// secure theme
or regex.icontains(.display_text, 'secured?.*(?:file|document|docs|fax)')
or regex.icontains(.display_text, 'important.*(?:file|document|docs|fax)')
or regex.icontains(.display_text, 'shared?.*(?:file|document|docs|fax)')
or regex.icontains(.display_text, 'protected.*(?:file|document|docs|fax)')
or regex.icontains(.display_text, 'encrypted.*(?:file|document|docs|fax)')
// scanner theme
or strings.icontains(.display_text, 'scanne[rd]_')
// image themed
or strings.icontains(.display_text, '_IMG_')
or regex.icontains(.display_text, '^IMG[_-](?:\d|\W)+$')
// digits
or regex.icontains(.display_text, 'doc(?:ument)?\s?\d+$')
or regex.icontains(.display_text, '^\d+$')
// onedrive theme
or strings.icontains(.display_text, 'one_docx')
or strings.icontains(.display_text, 'OneDrive')
or regex.icontains(.display_text, 'A document.*One.?Drive')
// action in file name
or strings.icontains(.display_text, 'click here')
or strings.icontains(.display_text, 'Download PDF')
or strings.icontains(.display_text, 'Validate')
or strings.icontains(.display_text, 'sent you ')
// limited file name to "confidential"
or .display_text =~ 'Confidentiality'
or .display_text =~ 'Confidential'
// invoice themes
or any(ml.nlu_classifier(.display_text).entities, .name == "financial")
or strings.icontains(.display_text, 'payment')
or strings.icontains(.display_text, 'invoice')
or regex.icontains(.display_text, 'INV(?:_|\s)?\d+$')
// starts with INV_ or INV\x20
or regex.icontains(.display_text, '^INV(?:_|\s)')
or regex.icontains(.display_text, 'P[O0]\W+?\d+$')
or strings.icontains(.display_text, 'receipt')
or strings.icontains(.display_text, 'billing')
or (
strings.icontains(.display_text, 'statement')
and not .display_text =~ "Privacy Statement"
)
or strings.icontains(.display_text, 'Past Due')
or regex.icontains(.display_text, 'Remit(tance)?')
or strings.icontains(.display_text, 'Purchase Order')
// contract language
or strings.icontains(.display_text, 'settlement')
or strings.icontains(.display_text, 'contract agreement')
or regex.icontains(.display_text, 'Pr[0o]p[0o]sal')
or strings.icontains(.display_text, 'contract doc')
// generic document name AND additional suspicious indicator
or (
regex.imatch(.display_text, 'documents?')
and (
// Find the share comment in the HTML and check for reply/forward "impersonation"
regex.icontains(body.html.raw,
'<p style="font-size:16px;color:#323130;margin:40px 20px 28px">(re|fwd?)'
)
)
)
// Payroll/HR
// section also used in abuse_dropbox_sus_names.yml with modified input
or strings.icontains(.display_text, 'Payroll')
or strings.icontains(.display_text, 'Employee Pay\b')
or strings.icontains(.display_text, 'Salary')
or strings.icontains(.display_text, 'Benefit Enrollment')
or strings.icontains(.display_text, 'Employee Handbook')
or strings.icontains(.display_text, 'Reimbursement Approved')
or regex.icontains(.display_text,
'(?:Faculty|Staff)\s*(?:\w+\s+){0,3}\s*Eval(?:uation)?'
)
// pattern of `sld - open items`
or strings.istarts_with(.display_text,
strings.concat(sender.email.domain.sld, ' - ')
)
)
)
and (
// and sender has never had email sent to them
profile.by_sender().solicited == false
// often times no-reply is soliticed due to various behaviors
or sender.email.email == "no-reply@sharepointonline.com"
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Link: Suspicious SharePoint document name"
description: "The detection rule is intended to match on emails sent from SharePoint indicating a shared file to the recipient that contain suspicious content within the document name. The Link display text is leveraged to identify the name of the shared file."
type: "rule"
severity: "low"
source: |
type.inbound
and strings.ilike(subject.subject, "*shared*", "*invit*")
and strings.ilike(body.current_thread.text,
"*shared a file with you*",
"*shared with you*",
"*invited you to access a file*"
)
and not strings.ilike(body.current_thread.text, "invited you to edit")
and (
// use the display text of the link to determine the name of the file
any(filter(body.links,
(
.href_url.domain.root_domain == "sharepoint.com"
or .href_url.domain.root_domain == "1drv.ms"
// handle urls with mimecast rewriting
or (
.href_url.domain.root_domain == 'mimecastprotect.com'
and strings.icontains(.href_url.query_params,
'.sharepoint.com'
)
)
)
and .display_text != "Open"
and not .href_url.domain.domain in $tenant_domains
),
// the file name does not include lowercase letters, while allowing for non letter chars
regex.match(.display_text, '^[^a-z]+$')
// file sharing service references
or strings.icontains(.display_text, 'dropbox')
or strings.icontains(.display_text, 'docusign')
// file name lures
// secure theme
or regex.icontains(.display_text, 'secured?.*(?:file|document|docs|fax)')
or regex.icontains(.display_text, 'important.*(?:file|document|docs|fax)')
or regex.icontains(.display_text, 'shared?.*(?:file|document|docs|fax)')
or regex.icontains(.display_text, 'protected.*(?:file|document|docs|fax)')
or regex.icontains(.display_text, 'encrypted.*(?:file|document|docs|fax)')
// scanner theme
or strings.icontains(.display_text, 'scanne[rd]_')
// image themed
or strings.icontains(.display_text, '_IMG_')
or regex.icontains(.display_text, '^IMG[_-](?:\d|\W)+$')
// digits
or regex.icontains(.display_text, 'doc(?:ument)?\s?\d+$')
or regex.icontains(.display_text, '^\d+$')
// onedrive theme
or strings.icontains(.display_text, 'one_docx')
or strings.icontains(.display_text, 'OneDrive')
or regex.icontains(.display_text, 'A document.*One.?Drive')
// action in file name
or strings.icontains(.display_text, 'click here')
or strings.icontains(.display_text, 'Download PDF')
or strings.icontains(.display_text, 'Validate')
or strings.icontains(.display_text, 'sent you ')
// limited file name to "confidential"
or .display_text =~ 'Confidentiality'
or .display_text =~ 'Confidential'
// invoice themes
or any(ml.nlu_classifier(.display_text).entities, .name == "financial")
or strings.icontains(.display_text, 'payment')
or strings.icontains(.display_text, 'invoice')
or regex.icontains(.display_text, 'INV(?:_|\s)?\d+$')
// starts with INV_ or INV\x20
or regex.icontains(.display_text, '^INV(?:_|\s)')
or regex.icontains(.display_text, 'P[O0]\W+?\d+$')
or strings.icontains(.display_text, 'receipt')
or strings.icontains(.display_text, 'billing')
or (
strings.icontains(.display_text, 'statement')
and not .display_text =~ "Privacy Statement"
)
or strings.icontains(.display_text, 'Past Due')
or regex.icontains(.display_text, 'Remit(tance)?')
or strings.icontains(.display_text, 'Purchase Order')
// contract language
or strings.icontains(.display_text, 'settlement')
or strings.icontains(.display_text, 'contract agreement')
or regex.icontains(.display_text, 'Pr[0o]p[0o]sal')
or strings.icontains(.display_text, 'contract doc')
// generic document name AND additional suspicious indicator
or (
regex.imatch(.display_text, 'documents?')
and (
// Find the share comment in the HTML and check for reply/forward "impersonation"
regex.icontains(body.html.raw,
'<p style="font-size:16px;color:#323130;margin:40px 20px 28px">(re|fwd?)'
)
)
)
// Payroll/HR
// section also used in abuse_dropbox_sus_names.yml with modified input
or strings.icontains(.display_text, 'Payroll')
or strings.icontains(.display_text, 'Employee Pay\b')
or strings.icontains(.display_text, 'Salary')
or strings.icontains(.display_text, 'Benefit Enrollment')
or strings.icontains(.display_text, 'Employee Handbook')
or strings.icontains(.display_text, 'Reimbursement Approved')
or regex.icontains(.display_text,
'(?:Faculty|Staff)\s*(?:\w+\s+){0,3}\s*Eval(?:uation)?'
)
// pattern of `sld - open items`
or strings.istarts_with(.display_text,
strings.concat(sender.email.domain.sld, ' - ')
)
)
)
and (
// and sender has never had email sent to them
profile.by_sender().solicited == false
// often times no-reply is soliticed due to various behaviors
or sender.email.email == "no-reply@sharepointonline.com"
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Free file host"
- "Evasion"
detection_methods:
- "Content analysis"
id: "f95fee6e-8127-5888-a9a9-4bbeabfe33a3"