• Sublime Core Feed
High Severity

Brand impersonation: Sharepoint

Labels

Credential Phishing
Impersonation: Brand
Social engineering
Computer Vision
Content analysis
File analysis
Natural Language Understanding
Sender analysis

Description

Body, attached images or pdf contains a Sharepoint logo. The message contains a link and credential theft language.

References

No references.

Sublime Security
Created Aug 17th, 2023 • Last updated Jun 12th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and length(body.links) > 0
and (
  any(attachments,
      (.file_type in $file_types_images or .file_type == "pdf")
      and any(ml.logo_detect(.).brands, .name == "Microsoft SharePoint")
  )
  or any(ml.logo_detect(beta.message_screenshot()).brands,
         .name == "Microsoft SharePoint"
  )
  or strings.istarts_with(strings.replace_confusables(body.current_thread.text), "Sharepoint")
  or regex.icontains(body.html.raw, '<img.*(title=|alt=).share.*src=""')  // broken Sharepoint logo
)
and (
  (
    any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "cred_theft" and .confidence == "high"
    )
    or any(file.explode(beta.message_screenshot()),
           any(ml.nlu_classifier(.scan.ocr.raw).intents,
               .name == "cred_theft" and .confidence == "high"
           )
    )
  )
  or any(ml.nlu_classifier(body.current_thread.text).entities,
         .name == "urgency" and strings.ilike(.text, "*encrypted*")
  )
)

and (
  not (
    (
      strings.istarts_with(subject.subject, "RE:")
      or strings.istarts_with(subject.subject, "R:")
      or strings.istarts_with(subject.subject, "ODG:")
      or strings.istarts_with(subject.subject, "答复:")
      or strings.istarts_with(subject.subject, "AW:")
      or strings.istarts_with(subject.subject, "TR:")
      or strings.istarts_with(subject.subject, "FWD:")
      or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?)\s?:')
      or regex.imatch(subject.subject,
                      '^\[?(EXT|EXTERNAL)\]?[: ]\s*(RE|FWD?|FW|AW|TR|ODG|答复):.*'
      )
    )
    and (
      (
        length(headers.references) > 0
        or any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
      )
      // ensure that there are actual threads
      and (length(body.html.display_text) - length(body.current_thread.text)) > 200
    )
  )
  or length(body.current_thread.text) == 0
)

and (
  profile.by_sender_email().prevalence != 'common'
  or not profile.by_sender_email().solicited
  or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_false_positives

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

// negate sharepoint file share
and not (
  // based on the message id format
  (
    (
      strings.starts_with(headers.message_id, '<Share-')
      and strings.ends_with(headers.message_id, '@odspnotify>')
    )
    // deal with Google thinking the message ID is "broke"
    or (
      strings.icontains(headers.message_id, 'SMTPIN_ADDED_BROKEN')
      and any(headers.hops,
              any(.fields,
                  .name == "X-Google-Original-Message-ID"
                  and strings.starts_with(.value, '<Share-')
                  and strings.ends_with(.value, '@odspnotify>')
              )
      )
    )
  )
  // all of the "action" links are sharepoint/ms
  and all(filter(body.links,
                 strings.icontains(subject.subject, .display_text)
                 or .display_text == "Open"
          ),
          .href_url.domain.root_domain in ("sharepoint.com")
          or .href_url.domain.tld == "ms"
  )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started