Detection rules › Sublime MQL
Sharepoint online with external recipients and external display name
An email from Sharepoint Online that was sent to multiple recipients that did not originate from a sender, by display name, in your organization.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing, Spam |
| Tactics and techniques | Evasion |
Event coverage
| Message attribute |
|---|
| recipients |
| recipients.to (collection) |
| sender |
| sender.email |
| type |
Rule body MQL
type.inbound
and sender.email.email == "no-reply@sharepointonline.com"
and length(recipients.to) > 40 // You may want to adjust this threshold if 40 is too aggressive
and any(recipients.to, .email.domain.domain in $free_email_providers)
and sender.display_name not in $org_display_names
Detection logic
Scope: inbound message.
An email from Sharepoint Online that was sent to multiple recipients that did not originate from a sender, by display name, in your organization.
- inbound message
- sender.email.email is 'no-reply@sharepointonline.com'
- length(recipients.to) > 40
any of
recipients.towhere:- .email.domain.domain in $free_email_providers
- sender.display_name not in $org_display_names
Inspects: recipients.to, recipients.to[].email.domain.domain, sender.display_name, sender.email.email, type.inbound. Reference lists: $free_email_providers, $org_display_names.
Indicators matched (1)
| Field | Match | Value |
|---|---|---|
sender.email.email | equals | no-reply@sharepointonline.com |