Medium Severity
Impersonation: SharePoint Reply Header Anomaly
Description
Detects messages with SharePoint reply headers that lack standard reply characteristics and contain inconsistencies in thread elements and recipient patterns
References
No references.
Sublime Security
Created Mar 3rd, 2025 • Last updated Mar 3rd, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
// appears to be a reply
and strings.istarts_with(headers.in_reply_to, '<Share-')
and strings.ends_with(headers.in_reply_to, '@odspnotify>')
and any([body.current_thread.text, body.plain.raw],
strings.ilike(.,
"*shared a file with you*",
"*shared with you*",
"*invited you to access a file*",
"*received a document*",
"*shared a document*",
"*shared a new document*",
"*shared this document*"
)
)
and ( // but lacks other reply elements
not (
strings.istarts_with(subject.subject, "RE:")
or strings.istarts_with(subject.subject, "RES:")
or strings.istarts_with(subject.subject, "R:")
or strings.istarts_with(subject.subject, "ODG:")
or strings.istarts_with(subject.subject,
"答复:"
) // response
or strings.istarts_with(subject.subject,
"回复:"
) // reply
or strings.istarts_with(subject.subject, "AW:")
or strings.istarts_with(subject.subject, "TR:")
or strings.istarts_with(subject.subject, "FWD:")
or strings.istarts_with(subject.subject, "Resposta automática:")
or strings.istarts_with(subject.subject, "Automatische Antwort:")
or strings.istarts_with(subject.subject, "Autosvar:")
or regex.icontains(subject.subject,
'^(?:(?:\[[^\]]+\]\s?|EXT(?:ERNAL)?\s?){0,3}|[[:punct:]]{0,3}\w+[[:punct:]]{0,3}\s)(?:r[ev]|fwd?|tr|aw|automat(ic|ed) reply)\s?:'
)
)
// the sender is the recipient
// or the recipients are hidden
or (
(
sender.email.email in map(recipients.to, .email.email)
and sum([
length(recipients.bcc),
length(recipients.to),
length(recipients.cc)
]
) == 1
)
or length(recipients.to) == 0
or all(recipients.to, .email.email is null or .email.email == "")
)
)
// lack a previous thread with sharepoint stuff
and not any([body.current_thread.text, body.html.display_text, body.plain.raw],
3 of (
strings.icontains(., "from:"),
strings.icontains(., "to:"),
strings.icontains(., "sent:"),
strings.icontains(., "date:"),
strings.icontains(., "cc:"),
strings.icontains(., "subject:")
)
and regex.icontains(.,
'(?:from|to|sent|date|cc|subject|wrote):.*shared with you',
'(?:from|to|sent|date|cc|subject|wrote):.*shared the folder .* with you',
'(?:from|to|sent|date|cc|subject|wrote):.*invited you to view a file',
)
)
// negate bouncebacks and undeliverables
and not any(attachments,
.content_type in (
"message/global-delivery-status",
"message/delivery-status"
)
)
Playground
Test against your own EMLs or sample data.