Medium Severity

Brand impersonation: SharePoint PDF attachment with credential theft language

Labels

Credential Phishing

Impersonation: Brand

Natural Language Understanding

Optical Character Recognition

Description

PDF attachment contains SharePoint logo and high-confidence credential theft language detected via OCR analysis. The attachment includes URLs and originates from an unsolicited or low-reputation sender, excluding legitimate SharePoint file sharing notifications.

References

No references.

Sublime Security

Created Sep 25th, 2025 • Last updated Nov 7th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and (
  any(attachments,
      (
        .file_type == "pdf"
        and any(ml.logo_detect(.).brands, .name == "Microsoft SharePoint")
        and any(file.explode(.), length(.scan.url.urls) > 0)
        and any(file.explode(.),
                any(ml.nlu_classifier(.scan.ocr.raw).intents,
                    .name == "cred_theft" and .confidence == "high"
                )
        )
      )
  )
)
// negate sharepoint file share
and not (
  // based on the message id format
  (
    (
      strings.starts_with(headers.message_id, '<Share-')
      and strings.ends_with(headers.message_id, '@odspnotify>')
    )
    or // negate legitimate access request to file
 (
      strings.starts_with(headers.message_id, '<Sharing')
      and strings.ends_with(headers.message_id, '@odspnotify>')
    )
    // deal with Google thinking the message ID is "broke"
    or (
      strings.icontains(headers.message_id, 'SMTPIN_ADDED_BROKEN')
      and any(headers.hops,
              any(.fields,
                  .name == "X-Google-Original-Message-ID"
                  and strings.starts_with(.value, '<Share-')
                  and strings.ends_with(.value, '@odspnotify>')
              )
      )
    )
  )
  // all of the "action" links are sharepoint/ms
  and all(filter(body.links,
                 strings.icontains(subject.subject, .display_text)
                 or .display_text == "Open"
          ),
          .href_url.domain.root_domain in ("sharepoint.com")
          or (
            .href_url.domain.tld == "ms"
            // Microsoft does not own the .ms TLD, this checks to ensure it is one of their domains
            and (
              network.whois(.href_url.domain).registrant_company == "Microsoft Corporation"
              or strings.ilike(network.whois(.href_url.domain).registrar_name,
                               "*MarkMonitor*",
                               "*CSC Corporate*",
                               "*com laude*"
              )
            )
          )
  )
)
and not (
  (
    (subject.is_reply or subject.is_forward)
    and (
      (length(headers.references) > 0 or headers.in_reply_to is not null)
      // ensure that there are actual threads
      and (
        length(body.previous_threads) > 0
        or (length(body.html.display_text) - length(body.current_thread.text)) > 200
      )
    )
  )
)
and (
  profile.by_sender_email().prevalence != 'common'
  or not profile.by_sender_email().solicited
  or profile.by_sender().any_messages_malicious_or_spam
)
and not profile.by_sender().any_messages_benign

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started