EXPLORE
Sign In
← Back to Explore
sublimeRule

Office 365 fake file share

Detection Query

type.inbound
and any(body.links, .href_url.domain.root_domain in $free_subdomain_hosts)
and headers.return_path.email != sender.email.email
and (
  length(recipients.to) == 1
  and any(recipients.to, .email.email == sender.email.email)
  and headers.return_path.email != sender.email.email
)
and 1 of (
  any(headers.hops, any(.fields, .name =~ "replyto" and .value == "")),
  strings.like(sender.display_name, "*HR*"),
  regex.icontains(subject.subject, "file was shared", "covid-19"),
  regex.icontains(body.html.inner_text, "file was shared", "scanned", "virus")
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: Office 365 fake file share
source: |
  type.inbound
  and any(body.links, .href_url.domain.root_domain in $free_subdomain_hosts)
  and headers.return_path.email != sender.email.email
  and (
    length(recipients.to) == 1
    and any(recipients.to, .email.email == sender.email.email)
    and headers.return_path.email != sender.email.email
  )
  and 1 of (
    any(headers.hops, any(.fields, .name =~ "replyto" and .value == "")),
    strings.like(sender.display_name, "*HR*"),
    regex.icontains(subject.subject, "file was shared", "covid-19"),
    regex.icontains(body.html.inner_text, "file was shared", "scanned", "virus")
  )
type: rule