Link: Suspicious SharePoint document name

Severity: low
Type: rule
Source: github.com/sublime-security/sublime-rules

The detection rule is intended to match on emails sent from SharePoint indicating a shared file to the recipient that contain suspicious content within the document name. The Link display text is leveraged to identify the name of the shared file.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

Category	Values
Attack types	Credential Phishing
Tactics and techniques	Free file host, Evasion

Event coverage

Message attribute
body
body.current_thread
body.html
body.links (collection)
sender.email
subject
type

Rule body MQL

type.inbound
and strings.ilike(subject.subject, "*shared*", "*invit*")
and strings.ilike(body.current_thread.text,
                  "*shared a file with you*",
                  "*shared with you*",
                  "*invited you to access a file*"
)
and not strings.ilike(body.current_thread.text, "invited you to edit")
and (
  // use the display text of the link to determine the name of the file
  any(filter(body.links,
             (
               .href_url.domain.root_domain == "sharepoint.com"
               or .href_url.domain.root_domain == "1drv.ms"
               // handle urls with mimecast rewriting
               or (
                 .href_url.domain.root_domain == 'mimecastprotect.com'
                 and strings.icontains(.href_url.query_params,
                                       '.sharepoint.com'
                 )
               )
             )
             and .display_text != "Open"
             and not .href_url.domain.domain in $tenant_domains
      ),

      // the file name does not include lowercase letters, while allowing for non letter chars
      regex.match(.display_text, '^[^a-z]+$')

      // file sharing service references
      or strings.icontains(.display_text, 'dropbox')
      or strings.icontains(.display_text, 'docusign')

      // file name lures
      // secure theme
      or regex.icontains(.display_text, 'secured?.*(?:file|document|docs|fax)')
      or regex.icontains(.display_text, 'important.*(?:file|document|docs|fax)')
      or regex.icontains(.display_text, 'shared?.*(?:file|document|docs|fax)')
      or regex.icontains(.display_text, 'protected.*(?:file|document|docs|fax)')
      or regex.icontains(.display_text, 'encrypted.*(?:file|document|docs|fax)')

      // scanner theme
      or strings.icontains(.display_text, 'scanne[rd]_')
      // image themed
      or strings.icontains(.display_text, '_IMG_')
      or regex.icontains(.display_text, '^IMG[_-](?:\d|\W)+$')

      // digits
      or regex.icontains(.display_text, 'doc(?:ument)?\s?\d+$')
      or regex.icontains(.display_text, '^\d+$')

      // onedrive theme
      or strings.icontains(.display_text, 'one_docx')
      or strings.icontains(.display_text, 'OneDrive')
      or regex.icontains(.display_text, 'A document.*One.?Drive')

      // action in file name
      or strings.icontains(.display_text, 'click here')
      or strings.icontains(.display_text, 'Download PDF')
      or strings.icontains(.display_text, 'Validate')
      or strings.icontains(.display_text, 'sent you ')

      // limited file name to "confidential"
      or .display_text =~ 'Confidentiality'
      or .display_text =~ 'Confidential'

      // invoice themes
      or any(ml.nlu_classifier(.display_text).entities, .name == "financial")
      or strings.icontains(.display_text, 'payment')
      or strings.icontains(.display_text, 'invoice')
      or regex.icontains(.display_text, 'INV(?:_|\s)?\d+$')
      // starts with INV_ or INV\x20
      or regex.icontains(.display_text, '^INV(?:_|\s)')
      or regex.icontains(.display_text, 'P[O0]\W+?\d+$')
      or strings.icontains(.display_text, 'receipt')
      or strings.icontains(.display_text, 'billing')
      or (
        strings.icontains(.display_text, 'statement')
        and not .display_text =~ "Privacy Statement"
      )
      or strings.icontains(.display_text, 'Past Due')
      or regex.icontains(.display_text, 'Remit(tance)?')
      or strings.icontains(.display_text, 'Purchase Order')

      // contract language
      or strings.icontains(.display_text, 'settlement')
      or strings.icontains(.display_text, 'contract agreement')
      or regex.icontains(.display_text, 'Pr[0o]p[0o]sal')
      or strings.icontains(.display_text, 'contract doc')

      // generic document name AND additional suspicious indicator
      or (
        regex.imatch(.display_text, 'documents?')
        and (
          // Find the share comment in the HTML and check for reply/forward "impersonation"
          regex.icontains(body.html.raw,
                          '<p style="font-size:16px;color:#323130;margin:40px 20px 28px">(re|fwd?)'
          )
        )
      )

      // Payroll/HR
      // section also used in abuse_dropbox_sus_names.yml with modified input
      or strings.icontains(.display_text, 'Payroll')
      or strings.icontains(.display_text, 'Employee Pay\b')
      or strings.icontains(.display_text, 'Salary')
      or strings.icontains(.display_text, 'Benefit Enrollment')
      or strings.icontains(.display_text, 'Employee Handbook')
      or strings.icontains(.display_text, 'Reimbursement Approved')
      or regex.icontains(.display_text,
                         '(?:Faculty|Staff)\s*(?:\w+\s+){0,3}\s*Eval(?:uation)?'
      )

      // pattern of `sld - open items`
      or strings.istarts_with(.display_text,
                              strings.concat(sender.email.domain.sld, ' - ')
      )
  )
)
and (
  // and sender has never had email sent to them
  profile.by_sender().solicited == false
  // often times no-reply is soliticed due to various behaviors
  or sender.email.email == "no-reply@sharepointonline.com"
)

Detection logic

Scope: inbound message.

inbound message
subject.subject matches any of 2 patterns
- *shared*
- *invit*
body.current_thread.text matches any of 3 patterns
- *shared a file with you*
- *shared with you*
- *invited you to access a file*
not:
- body.current_thread.text matches 'invited you to edit'
any of filter(body.links) where any holds:
- .display_text matches '^[^a-z]+$'
- .display_text contains 'dropbox'
- .display_text contains 'docusign'
- .display_text matches 'secured?.*(?:file|document|docs|fax)'
- .display_text matches 'important.*(?:file|document|docs|fax)'
- .display_text matches 'shared?.*(?:file|document|docs|fax)'
- .display_text matches 'protected.*(?:file|document|docs|fax)'
- .display_text matches 'encrypted.*(?:file|document|docs|fax)'
- .display_text contains 'scanne[rd]_'
- .display_text contains '_IMG_'
- .display_text matches '^IMG[_-](?:\\d|\\W)+$'
- .display_text matches 'doc(?:ument)?\\s?\\d+$'
- .display_text matches '^\\d+$'
- .display_text contains 'one_docx'
- .display_text contains 'OneDrive'
- .display_text matches 'A document.*One.?Drive'
- .display_text contains 'click here'
- .display_text contains 'Download PDF'
- .display_text contains 'Validate'
- .display_text contains 'sent you '
- .display_text is 'Confidentiality'
- .display_text is 'Confidential'
- any of ml.nlu_classifier(.display_text).entities where:
  - .name is 'financial'
- .display_text contains 'payment'
- .display_text contains 'invoice'
- .display_text matches 'INV(?:_|\\s)?\\d+$'
- .display_text matches '^INV(?:_|\\s)'
- .display_text matches 'P[O0]\\W+?\\d+$'
- .display_text contains 'receipt'
- .display_text contains 'billing'
- all of:
  - .display_text contains 'statement'
  - not:
    
    .display_text is 'Privacy Statement'
- .display_text contains 'Past Due'
- .display_text matches 'Remit(tance)?'
- .display_text contains 'Purchase Order'
- .display_text contains 'settlement'
- .display_text contains 'contract agreement'
- .display_text matches 'Pr[0o]p[0o]sal'
- .display_text contains 'contract doc'
- all of:
  - .display_text matches 'documents?'
  - body.html.raw matches '<p style="font-size:16px;color:#323130;margin:40px 20px 28px">(re|fwd?)'
- .display_text contains 'Payroll'
- .display_text contains 'Employee Pay\\b'
- .display_text contains 'Salary'
- .display_text contains 'Benefit Enrollment'
- .display_text contains 'Employee Handbook'
- .display_text contains 'Reimbursement Approved'
- .display_text matches '(?:Faculty|Staff)\\s*(?:\\w+\\s+){0,3}\\s*Eval(?:uation)?'
- strings.istarts_with(.display_text)
any of:
- profile.by_sender().solicited is False
- sender.email.email is 'no-reply@sharepointonline.com'

Inspects: body.current_thread.text, body.html.raw, body.links, body.links[].display_text, body.links[].href_url.domain.domain, body.links[].href_url.domain.root_domain, body.links[].href_url.query_params, sender.email.domain.sld, sender.email.email, subject.subject, type.inbound. Sensors: ml.nlu_classifier, profile.by_sender, regex.icontains, regex.imatch, regex.match, strings.concat, strings.icontains, strings.ilike, strings.istarts_with. Reference lists: $tenant_domains.

Indicators matched (59)

Field	Match	Value
`strings.ilike`	substring	`shared`
`strings.ilike`	substring	`invit`
`strings.ilike`	substring	`shared a file with you`
`strings.ilike`	substring	`shared with you`
`strings.ilike`	substring	`invited you to access a file`
`strings.ilike`	substring	`invited you to edit`
`body.links[].href_url.domain.root_domain`	equals	`sharepoint.com`
`body.links[].href_url.domain.root_domain`	equals	`1drv.ms`
`body.links[].href_url.domain.root_domain`	equals	`mimecastprotect.com`
`strings.icontains`	substring	`.sharepoint.com`
`regex.match`	regex	`^[^a-z]+$`
`strings.icontains`	substring	`dropbox`

47 more

`strings.icontains`	substring	`docusign`
`regex.icontains`	regex	`secured?.*(?:file\|document\|docs\|fax)`
`regex.icontains`	regex	`important.*(?:file\|document\|docs\|fax)`
`regex.icontains`	regex	`shared?.*(?:file\|document\|docs\|fax)`
`regex.icontains`	regex	`protected.*(?:file\|document\|docs\|fax)`
`regex.icontains`	regex	`encrypted.*(?:file\|document\|docs\|fax)`
`strings.icontains`	substring	`scanne[rd]_`
`strings.icontains`	substring	`_IMG_`
`regex.icontains`	regex	`^IMG[_-](?:\d\|\W)+$`
`regex.icontains`	regex	`doc(?:ument)?\s?\d+$`
`regex.icontains`	regex	`^\d+$`
`strings.icontains`	substring	`one_docx`
`strings.icontains`	substring	`OneDrive`
`regex.icontains`	regex	`A document.*One.?Drive`
`strings.icontains`	substring	`click here`
`strings.icontains`	substring	`Download PDF`
`strings.icontains`	substring	`Validate`
`strings.icontains`	substring	`sent you`
`filter(body.links)[].display_text`	equals	`Confidentiality`
`filter(body.links)[].display_text`	equals	`Confidential`
`ml.nlu_classifier(filter(body.links)[].display_text).entities[].name`	equals	`financial`
`strings.icontains`	substring	`payment`
`strings.icontains`	substring	`invoice`
`regex.icontains`	regex	`INV(?:_\|\s)?\d+$`
`regex.icontains`	regex	`^INV(?:_\|\s)`
`regex.icontains`	regex	`P[O0]\W+?\d+$`
`strings.icontains`	substring	`receipt`
`strings.icontains`	substring	`billing`
`strings.icontains`	substring	`statement`
`filter(body.links)[].display_text`	equals	`Privacy Statement`
`strings.icontains`	substring	`Past Due`
`regex.icontains`	regex	`Remit(tance)?`
`strings.icontains`	substring	`Purchase Order`
`strings.icontains`	substring	`settlement`
`strings.icontains`	substring	`contract agreement`
`regex.icontains`	regex	`Pr[0o]p[0o]sal`
`strings.icontains`	substring	`contract doc`
`regex.imatch`	regex	`documents?`
`regex.icontains`	regex	`<p style="font-size:16px;color:#323130;margin:40px 20px 28px">(re\|fwd?)`
`strings.icontains`	substring	`Payroll`
`strings.icontains`	substring	`Employee Pay\b`
`strings.icontains`	substring	`Salary`
`strings.icontains`	substring	`Benefit Enrollment`
`strings.icontains`	substring	`Employee Handbook`
`strings.icontains`	substring	`Reimbursement Approved`
`regex.icontains`	regex	`(?:Faculty\|Staff)\s(?:\w+\s+){0,3}\sEval(?:uation)?`
`sender.email.email`	equals	`no-reply@sharepointonline.com`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)