detection.wiki

Detection rules › Sublime MQL

Link: Secure SharePoint file share from new or unusual sender

Severity
low
Type
rule
Source
github.com/sublime-security/sublime-rules

This ASR rule detects the use of secure SharePoint links which require recipient verifcation before allowing access to the shared file. This has been observed as a method of evading automated analysis of the shared files' content.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesFree file host, Evasion

Event coverage

Message attribute
body
body.current_thread
body.links (collection)
body.plain
sender.email
subject
type

Rule body MQL

type.inbound
// SharePoint email indicators
and strings.like(body.current_thread.text,
                 "*shared a file with you*",
                 "*shared with you*",
                 "*invited you to access a file*"
)
and strings.icontains(subject.subject, "shared")
// the Sharepoint file has been "Protected"
and any([body.plain.raw, body.current_thread.text],
        strings.icontains(.,
                          "This link only works for the direct recipients of this message"
        )
)
and any(body.links, .href_url.domain.root_domain == "sharepoint.com")

// sender is uncommon
and (
  (
    profile.by_sender_email().prevalence in ("new", "rare", "outlier")
    and not profile.by_sender_email().solicited
  )
  // or the reply-to address has never sent an email to the org
  or (
    sender.email.domain.root_domain == "sharepointonline.com"
    and beta.profile.by_reply_to().prevalence == "new"
  )
  // or the message contains suspect language
  or (regex.icontains(body.current_thread.text, '(kindly)'))
)

Detection logic

Scope: inbound message.

This ASR rule detects the use of secure SharePoint links which require recipient verifcation before allowing access to the shared file. This has been observed as a method of evading automated analysis of the shared files' content.

  1. inbound message
  2. body.current_thread.text matches any of 3 patterns
    • *shared a file with you*
    • *shared with you*
    • *invited you to access a file*
  3. subject.subject contains 'shared'
  4. any of [body.plain.raw, body.current_thread.text] where:
    • . contains 'This link only works for the direct recipients of this message'
  5. any of body.links where:
    • .href_url.domain.root_domain is 'sharepoint.com'
  6. any of:
    • all of:
      • profile.by_sender_email().prevalence in ('new', 'rare', 'outlier')
      • not:
        • profile.by_sender_email().solicited
    • all of:
      • sender.email.domain.root_domain is 'sharepointonline.com'
      • beta.profile.by_reply_to().prevalence is 'new'
    • body.current_thread.text matches '(kindly)'

Inspects: body.current_thread.text, body.links, body.links[].href_url.domain.root_domain, body.plain.raw, sender.email.domain.root_domain, subject.subject, type.inbound. Sensors: beta.profile.by_reply_to, profile.by_sender_email, regex.icontains, strings.icontains, strings.like.

Indicators matched (8)

FieldMatchValue
strings.likesubstring*shared a file with you*
strings.likesubstring*shared with you*
strings.likesubstring*invited you to access a file*
strings.icontainssubstringshared
strings.icontainssubstringThis link only works for the direct recipients of this message
body.links[].href_url.domain.root_domainequalssharepoint.com
sender.email.domain.root_domainequalssharepointonline.com
regex.icontainsregex(kindly)