Medium Severity

Impersonation: SharePoint Reply Header Anomaly

Labels

Credential Phishing
Social engineering
Impersonation: Brand
Evasion
Spoofing
Header analysis
Content analysis
Sender analysis

Description

Detects messages with SharePoint reply headers that lack standard reply characteristics and contain inconsistencies in thread elements and recipient patterns

References

No references.

Sublime Security
Created Mar 3rd, 2025 • Last updated Mar 3rd, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
// appears to be a reply 
and strings.istarts_with(headers.in_reply_to, '<Share-')
and strings.ends_with(headers.in_reply_to, '@odspnotify>')
and any([body.current_thread.text, body.plain.raw],
    strings.ilike(.,
                  "*shared a file with you*",
                  "*shared with you*",
                  "*invited you to access a file*",
                  "*received a document*",
                  "*shared a document*",
                  "*shared a new document*",
                  "*shared this document*"
    )
)
and ( // but lacks other reply elements
  not (
    strings.istarts_with(subject.subject, "RE:")
    or strings.istarts_with(subject.subject, "RES:")
    or strings.istarts_with(subject.subject, "R:")
    or strings.istarts_with(subject.subject, "ODG:")
    or strings.istarts_with(subject.subject,
                            "答复:"
    ) // response
    or strings.istarts_with(subject.subject,
                            "回复:"
    ) // reply
    or strings.istarts_with(subject.subject, "AW:")
    or strings.istarts_with(subject.subject, "TR:")
    or strings.istarts_with(subject.subject, "FWD:")
    or strings.istarts_with(subject.subject, "Resposta automática:")
    or strings.istarts_with(subject.subject, "Automatische Antwort:")
    or strings.istarts_with(subject.subject, "Autosvar:")
    or regex.icontains(subject.subject,
                       '^(?:(?:\[[^\]]+\]\s?|EXT(?:ERNAL)?\s?){0,3}|[[:punct:]]{0,3}\w+[[:punct:]]{0,3}\s)(?:r[ev]|fwd?|tr|aw|automat(ic|ed) reply)\s?:'
    )
  )
  // the sender is the recipient 
  // or the recipients are hidden
  or (
    (
      sender.email.email in map(recipients.to, .email.email)
      and sum([
                length(recipients.bcc),
                length(recipients.to),
                length(recipients.cc)
              ]
      ) == 1
    )
    or length(recipients.to) == 0
    or all(recipients.to, .email.email is null or .email.email == "")
  )
)

// lack a previous thread with sharepoint stuff
and not any([body.current_thread.text, body.html.display_text, body.plain.raw],
            3 of (
              strings.icontains(., "from:"),
              strings.icontains(., "to:"),
              strings.icontains(., "sent:"),
              strings.icontains(., "date:"),
              strings.icontains(., "cc:"),
              strings.icontains(., "subject:")
            )
            and regex.icontains(.,
                                '(?:from|to|sent|date|cc|subject|wrote):.*shared with you',
                                '(?:from|to|sent|date|cc|subject|wrote):.*shared the folder .* with you',
                                '(?:from|to|sent|date|cc|subject|wrote):.*invited you to view a file',
            )
)

// negate bouncebacks and undeliverables
and not any(attachments,
            .content_type in (
              "message/global-delivery-status",
              "message/delivery-status"
            )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started