detection.wiki

Detection rules › Sublime MQL

Service abuse: File sharing impersonation with external SharePoint links

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

Detects inbound messages claiming to share files or invite access, containing SharePoint or OneDrive links from external domains. The rule identifies suspicious sharing notifications where link display text matches the sender's name rather than a legitimate document name, indicating potential impersonation of legitimate file sharing services.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesImpersonation: Brand, Social engineering

Event coverage

Message attribute
body.current_thread
sender
subject
type

Rule body MQL

type.inbound
and strings.ilike(subject.subject, "*shared*", "*invit*")
and strings.ilike(body.current_thread.text,
                  "*shared a file with you*",
                  "*shared with you*",
                  "*invited you to access a file*"
)
and not strings.ilike(body.current_thread.text, "invited you to edit")
and (
  any(filter(body.current_thread.links,
             .href_url.domain.domain not in $tenant_domains
             and (
               .href_url.domain.root_domain == "sharepoint.com"
               or .href_url.domain.root_domain == "1drv.ms"
               or (
                 .href_url.domain.root_domain == 'mimecastprotect.com'
                 and strings.icontains(.href_url.query_params,
                                       '.sharepoint.com'
                 )
               )
             )
             and .display_text != "Open"
      ),
      // check if the display_text exactly matches the sender's display name
      .display_text == sender.display_name
  )
)

Detection logic

Scope: inbound message.

Detects inbound messages claiming to share files or invite access, containing SharePoint or OneDrive links from external domains. The rule identifies suspicious sharing notifications where link display text matches the sender's name rather than a legitimate document name, indicating potential impersonation of legitimate file sharing services.

  1. inbound message
  2. subject.subject matches any of 2 patterns
    • *shared*
    • *invit*
  3. body.current_thread.text matches any of 3 patterns
    • *shared a file with you*
    • *shared with you*
    • *invited you to access a file*
  4. not:
    • body.current_thread.text matches 'invited you to edit'
  5. any of filter(body.current_thread.links) where:
    • .display_text is sender.display_name

Inspects: body.current_thread.links, body.current_thread.links[].display_text, body.current_thread.links[].href_url.domain.domain, body.current_thread.links[].href_url.domain.root_domain, body.current_thread.links[].href_url.query_params, body.current_thread.text, sender.display_name, subject.subject, type.inbound. Sensors: strings.icontains, strings.ilike. Reference lists: $tenant_domains.

Indicators matched (10)

FieldMatchValue
strings.ilikesubstring*shared*
strings.ilikesubstring*invit*
strings.ilikesubstring*shared a file with you*
strings.ilikesubstring*shared with you*
strings.ilikesubstring*invited you to access a file*
strings.ilikesubstringinvited you to edit
body.current_thread.links[].href_url.domain.root_domainequalssharepoint.com
body.current_thread.links[].href_url.domain.root_domainequals1drv.ms
body.current_thread.links[].href_url.domain.root_domainequalsmimecastprotect.com
strings.icontainssubstring.sharepoint.com