Credential phishing: Onedrive impersonation

Severity: high
Type: rule
Source: github.com/sublime-security/sublime-rules

This rule detects messages impersonating Microsoft's OneDrive service with medium to high credential theft language in the current thread. The subject is inspected for one drive language, with additional checks for free_subdomain hosted links, additional suspicious subject language or suspicious display text language.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

Category	Values
Attack types	Credential Phishing
Tactics and techniques	Free subdomain host, Impersonation: Brand, Social engineering

Event coverage

Message attribute
attachments (collection)
body
body.current_thread
body.links (collection)
headers (collection)
headers.auth_summary
headers.hops (collection)
sender
sender.email
subject
type

Rule body MQL

type.inbound
// one drive is found in the sender display name or sender local part
and (
  (
    regex.icontains(sender.display_name, '[0o]ne\s?dr[il1]ve')
    or regex.icontains(sender.email.local_part, '[0o]ne\s?dr[il1]ve')
    or 0 < strings.ilevenshtein(strings.replace_confusables(sender.display_name),
                                "one?drive"
    ) < 2
    or any(attachments,
           (
             regex.icontains(.file_name, '[0o]ne\s?dr[il1]ve')
             and not any(file.explode(.),
                         any(.scan.exiftool.fields,
                             .key == "Model"
                             or (
                               .key == "Software"
                               and strings.starts_with(.value, "Android")
                             )
                         )
                         // exclude images taken with mobile cameras and screenshots from Apple
                         or any(.scan.exiftool.fields,
                                .key == "DeviceManufacturer"
                                and .value == "Apple Computer Inc."
                         )
             )
           )
           // pdf with OneDrive impersonation
           or (
             .file_type == "pdf"
             and any(ml.logo_detect(.).brands, .name == "Microsoft")
             and any(file.explode(.),
                     any(.scan.strings.strings,
                         strings.icontains(., "shared a file")
                     )
             )
           )
    )
  )
  or regex.imatch(strings.replace_confusables(body.current_thread.text),
                  '[0o]ne\s?dr[il1]ve.*'
  )
  // or one drive is in the subject with a freefile host, additional suspicious language, or suspicious display text
  or (
    regex.icontains(strings.replace_confusables(subject.subject),
                    '[0o]ne\s?dr[il1]ve'
    )
    and (
      any(body.links,
          .href_url.domain.root_domain in $free_subdomain_hosts
          and .href_url.domain.subdomain is not null
          and .href_url.domain.subdomain != "www"
      )
      or regex.contains(subject.subject, '(shared.{0,30}document)')
      or any(body.links,
             regex.icontains(.display_text,
                             "((view|show|access).(?:report|document)|review doc|view doc|view.attached)"
             )
      )
    )
  )
  or (
    any(beta.ml_topic(body.current_thread.text).topics,
        .name == "File Sharing and Cloud Services" and .confidence == "high"
    )
    // more than half of the links with display text contain the keyword "onedrive"
    and ratio(filter(body.links, .display_text is not null),
              regex.icontains(.display_text, '[0o]ne\s?dr[il1]ve')
    ) > 0.5
  )
)

// and body language is med/high confidence cred theft
and (
  any(ml.nlu_classifier(body.current_thread.text).intents,
      .name == "cred_theft" and .confidence in ("medium", "high")
  )
  or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
         .name == "cred_theft" and .confidence in ("medium", "high")
  )
)
and length(body.links) < 10
and not (
  sender.email.domain.root_domain in (
    "bing.com",
    "microsoft.com",
    "microsoftonline.com",
    "microsoftsupport.com",
    "microsoft365.com",
    "office.com",
    "onedrive.com",
    "sharepointonline.com",
    "yammer.com",
  )
  and coalesce(headers.auth_summary.dmarc.pass, false)
)

// negate highly trusted sender domains unless they fail DMARC authentication
and not (
  sender.email.domain.root_domain in $high_trust_sender_root_domains
  and coalesce(headers.auth_summary.dmarc.pass, false)
)

// excludes docusign senders that contain "via" in the display name
and not (
  any(headers.hops,
      any(.fields,
          .name == "X-Api-Host" and strings.ends_with(.value, "docusign.net")
      )
  )
  and strings.contains(sender.display_name, "via")
)
and not profile.by_sender().any_messages_benign

Detection logic

Scope: inbound message.

inbound message
any of:
- any of:
  - sender.display_name matches '[0o]ne\\s?dr[il1]ve'
  - sender.email.local_part matches '[0o]ne\\s?dr[il1]ve'
  - all of:
    
    strings.replace_confusables(sender.display_name) is similar to 'one?drive'
    strings.replace_confusables(sender.display_name) is similar to 'one?drive'
  - any of attachments where any holds:
    
    all of:
    
    .file_name matches '[0o]ne\\s?dr[il1]ve'
    not:
    
    any of file.explode(.) where any holds:
    
    any of .scan.exiftool.fields where any holds:
    
    .key is 'Model'
    all of:
    
    .key is 'Software'
    .value starts with 'Android'
    any of .scan.exiftool.fields where all hold:
    
    .key is 'DeviceManufacturer'
    .value is 'Apple Computer Inc.'
    all of:
    
    .file_type is 'pdf'
    any of ml.logo_detect(.).brands where:
    
    .name is 'Microsoft'
    any of file.explode(.) where:
    
    any of .scan.strings.strings where:
    
    . contains 'shared a file'
- strings.replace_confusables(body.current_thread.text) matches '[0o]ne\\s?dr[il1]ve.*'
- all of:
  - strings.replace_confusables(subject.subject) matches '[0o]ne\\s?dr[il1]ve'
  - any of:
    
    any of body.links where all hold:
    
    .href_url.domain.root_domain in $free_subdomain_hosts
    .href_url.domain.subdomain is set
    .href_url.domain.subdomain is not 'www'
    subject.subject matches '(shared.{0,30}document)'
    any of body.links where:
    
    .display_text matches '((view|show|access).(?:report|document)|review doc|view doc|view.attached)'
- all of:
  - any of beta.ml_topic(body.current_thread.text).topics where all hold:
    
    .name is 'File Sharing and Cloud Services'
    .confidence is 'high'
  - ratio(filter(body.links, .display_text is not null)) > 0.5
any of:
- any of ml.nlu_classifier(body.current_thread.text).intents where all hold:
  - .name is 'cred_theft'
  - .confidence in ('medium', 'high')
- any of ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents where all hold:
  - .name is 'cred_theft'
  - .confidence in ('medium', 'high')
length(body.links) < 10
not:
- all of:
  - sender.email.domain.root_domain in ('bing.com', 'microsoft.com', 'microsoftonline.com', 'microsoftsupport.com', 'microsoft365.com', 'office.com', 'onedrive.com', 'sharepointonline.com', 'yammer.com')
  - coalesce(headers.auth_summary.dmarc.pass)
not:
- all of:
  - sender.email.domain.root_domain in $high_trust_sender_root_domains
  - coalesce(headers.auth_summary.dmarc.pass)
not:
- all of:
  - any of headers.hops where:
    
    any of .fields where all hold:
    
    .name is 'X-Api-Host'
    .value ends with 'docusign.net'
  - sender.display_name contains 'via'
not:
- profile.by_sender().any_messages_benign

Inspects: attachments[].file_name, attachments[].file_type, body.current_thread.text, body.links, body.links[].display_text, body.links[].href_url.domain.root_domain, body.links[].href_url.domain.subdomain, headers.auth_summary.dmarc.pass, headers.hops, headers.hops[].fields, headers.hops[].fields[].name, headers.hops[].fields[].value, sender.display_name, sender.email.domain.root_domain, sender.email.local_part, subject.subject, type.inbound. Sensors: beta.ml_topic, beta.ocr, file.explode, file.message_screenshot, ml.logo_detect, ml.nlu_classifier, profile.by_sender, regex.contains, regex.icontains, regex.imatch, strings.contains, strings.ends_with, strings.icontains, strings.ilevenshtein, strings.replace_confusables, strings.starts_with. Reference lists: $free_subdomain_hosts, $high_trust_sender_root_domains.

Indicators matched (33)

Field	Match	Value
`regex.icontains`	regex	`[0o]ne\s?dr[il1]ve`
`strings.ilevenshtein`	fuzzy	`one?drive`
`file.explode(attachments[])[].scan.exiftool.fields[].key`	equals	`Model`
`file.explode(attachments[])[].scan.exiftool.fields[].key`	equals	`Software`
`strings.starts_with`	prefix	`Android`
`file.explode(attachments[])[].scan.exiftool.fields[].key`	equals	`DeviceManufacturer`
`file.explode(attachments[])[].scan.exiftool.fields[].value`	equals	`Apple Computer Inc.`
`attachments[].file_type`	equals	`pdf`
`ml.logo_detect(attachments[]).brands[].name`	equals	`Microsoft`
`strings.icontains`	substring	`shared a file`
`regex.imatch`	regex	`[0o]ne\s?dr[il1]ve.*`
`regex.contains`	regex	`(shared.{0,30}document)`

21 more

`regex.icontains`	regex	`((view\|show\|access).(?:report\|document)\|review doc\|view doc\|view.attached)`
`beta.ml_topic(body.current_thread.text).topics[].name`	equals	`File Sharing and Cloud Services`
`beta.ml_topic(body.current_thread.text).topics[].confidence`	equals	`high`
`ml.nlu_classifier(body.current_thread.text).intents[].name`	equals	`cred_theft`
`ml.nlu_classifier(body.current_thread.text).intents[].confidence`	member	`medium`
`ml.nlu_classifier(body.current_thread.text).intents[].confidence`	member	`high`
`ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents[].name`	equals	`cred_theft`
`ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents[].confidence`	member	`medium`
`ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents[].confidence`	member	`high`
`sender.email.domain.root_domain`	member	`bing.com`
`sender.email.domain.root_domain`	member	`microsoft.com`
`sender.email.domain.root_domain`	member	`microsoftonline.com`
`sender.email.domain.root_domain`	member	`microsoftsupport.com`
`sender.email.domain.root_domain`	member	`microsoft365.com`
`sender.email.domain.root_domain`	member	`office.com`
`sender.email.domain.root_domain`	member	`onedrive.com`
`sender.email.domain.root_domain`	member	`sharepointonline.com`
`sender.email.domain.root_domain`	member	`yammer.com`
`headers.hops[].fields[].name`	equals	`X-Api-Host`
`strings.ends_with`	suffix	`docusign.net`
`strings.contains`	substring	`via`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)