detection.wiki

Detection rules › Sublime MQL

Suspicious SharePoint file sharing

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

This rule detect potential credential phishing leveraging SharePoint file sharing to deliver a PDF, OneNote, or Unknown file type file using indicators such as suspicious sender analysis and link characteristics.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesFree email provider, Free file host, OneNote, PDF

Event coverage

Message attribute
body
body.current_thread
body.links (collection)
headers (collection)
headers.reply_to (collection)
sender.email
subject
type

Rule body MQL

type.inbound

// Matches the message id observed. DKIM/SPF domains can be custom and therefore are unpredictable.
and strings.starts_with(headers.message_id, '<Share-')
and strings.ends_with(headers.message_id, '@odspnotify>')

// SharePoint email indicators
and strings.like(body.current_thread.text,
                 "*shared a file with you*",
                 "*shared with you*",
                 "*invited you to access a file*"
)
and strings.icontains(subject.subject, "shared")

// sender analysis 
and (
  (
    // if the sender is not the sharepointonline.com, we can use the sender email
    // to see if it is a solicited email
    sender.email.domain.domain != "sharepointonline.com"
    and not profile.by_sender().solicited
  )
  // if it is the sharepointonline sender, use the reply-to header
  or (
    sender.email.domain.domain =~ "sharepointonline.com"
    and length(headers.reply_to) > 0
    and 
    // a newly created domain
    (
      all(headers.reply_to,
          .email.domain.root_domain not in $free_email_providers
          and network.whois(.email.domain).days_old <= 30
          and .email.email != sender.email.email
      )

      // is a free email provider
      or all(headers.reply_to,
             .email.domain.root_domain in $free_email_providers
      )

      //
      // This rule makes use of a beta feature and is subject to change without notice
      // using the beta feature in custom rules is not suggested until it has been formally released
      //
      
      // no outbound emails 
      or not beta.profile.by_reply_to().solicited
    )
    // do not match if the reply_to address has been observed as a reply_to address
    // of a message that has been classified as benign
    and not beta.profile.by_reply_to().any_messages_benign
  )
)
// link logic
and any(body.links,
        .href_url.domain.root_domain == "sharepoint.com"
        // it is a personal share
        and (
          // /g/ is only found with /personal
          strings.icontains(.href_url.path, '/g/personal/')
          or strings.icontains(.href_url.path, '/p/')
        )
        // it is either a OneNote or PDF
        and (
          strings.icontains(.href_url.path, '/:o:/')
          or strings.icontains(.href_url.path, '/:b:/')
          or strings.icontains(.href_url.path, '/:u:/')
        )
)

Detection logic

Scope: inbound message.

This rule detect potential credential phishing leveraging SharePoint file sharing to deliver a PDF, OneNote, or Unknown file type file using indicators such as suspicious sender analysis and link characteristics.

  1. inbound message
  2. headers.message_id starts with '<Share-'
  3. headers.message_id ends with '@odspnotify>'
  4. body.current_thread.text matches any of 3 patterns
    • *shared a file with you*
    • *shared with you*
    • *invited you to access a file*
  5. subject.subject contains 'shared'
  6. any of:
    • all of:
      • sender.email.domain.domain is not 'sharepointonline.com'
      • not:
        • profile.by_sender().solicited
    • all of:
      • sender.email.domain.domain is 'sharepointonline.com'
      • length(headers.reply_to) > 0
      • any of:
        • all of headers.reply_to where all hold:
          • .email.domain.root_domain not in $free_email_providers
          • network.whois(.email.domain).days_old ≤ 30
          • .email.email is not sender.email.email
        • all of headers.reply_to where:
          • .email.domain.root_domain in $free_email_providers
        • not:
          • beta.profile.by_reply_to().solicited
      • not:
        • beta.profile.by_reply_to().any_messages_benign
  7. any of body.links where all hold:
    • .href_url.domain.root_domain is 'sharepoint.com'
    • any of:
      • .href_url.path contains '/g/personal/'
      • .href_url.path contains '/p/'
    • any of:
      • .href_url.path contains '/:o:/'
      • .href_url.path contains '/:b:/'
      • .href_url.path contains '/:u:/'

Inspects: body.current_thread.text, body.links, body.links[].href_url.domain.root_domain, body.links[].href_url.path, headers.message_id, headers.reply_to, headers.reply_to[].email.domain, headers.reply_to[].email.domain.root_domain, headers.reply_to[].email.email, sender.email.domain.domain, sender.email.email, subject.subject, type.inbound. Sensors: beta.profile.by_reply_to, network.whois, profile.by_sender, strings.ends_with, strings.icontains, strings.like, strings.starts_with. Reference lists: $free_email_providers.

Indicators matched (13)

FieldMatchValue
strings.starts_withprefix<Share-
strings.ends_withsuffix@odspnotify>
strings.likesubstring*shared a file with you*
strings.likesubstring*shared with you*
strings.likesubstring*invited you to access a file*
strings.icontainssubstringshared
sender.email.domain.domainequalssharepointonline.com
body.links[].href_url.domain.root_domainequalssharepoint.com
strings.icontainssubstring/g/personal/
strings.icontainssubstring/p/
strings.icontainssubstring/:o:/
strings.icontainssubstring/:b:/
1 more
strings.icontainssubstring/:u:/