Medium Severity

Impersonation: SharePoint reply header anomaly

Labels

Credential Phishing

Social engineering

Description

Detects messages with SharePoint reply headers that lack standard reply characteristics and contain inconsistencies in thread elements and recipient patterns

References

No references.

Sublime Security

Created Mar 3rd, 2025 • Last updated Aug 5th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
// appears to be a reply 
and strings.istarts_with(headers.in_reply_to, '<Share-')
and strings.ends_with(headers.in_reply_to, '@odspnotify>')
and any([body.current_thread.text, body.plain.raw],
    strings.ilike(.,
                  "*shared a file with you*",
                  "*shared with you*",
                  "*invited you to access a file*",
                  "*received a document*",
                  "*shared a document*",
                  "*shared a new document*",
                  "*shared this document*"
    )
)
and ( // but lacks other reply elements
  not (
    strings.istarts_with(subject.subject, "RE:")
    or strings.istarts_with(subject.subject, "RES:")
    or strings.istarts_with(subject.subject, "R:")
    or strings.istarts_with(subject.subject, "ODG:")
    or strings.istarts_with(subject.subject,
                            "答复:"
    ) // response
    or strings.istarts_with(subject.subject,
                            "回复:"
    ) // reply
    or strings.istarts_with(subject.subject, "AW:")
    or strings.istarts_with(subject.subject, "TR:")
    or strings.istarts_with(subject.subject, "FWD:")
    or strings.istarts_with(subject.subject, "Resposta automática:")
    or strings.istarts_with(subject.subject, "Automatische Antwort:")
    or strings.istarts_with(subject.subject, "Autosvar:")
    or regex.icontains(subject.subject,
                       '^(?:(?:\[[^\]]+\]\s?|EXT(?:ERNAL)?\s?){0,3}|[[:punct:]]{0,3}\w+[[:punct:]]{0,3}\s)(?:r[ev]|fwd?|tr|aw|automat(ic|ed) reply)\s?:'
    )
  )
  // the sender is the recipient 
  // or the recipients are hidden
  or (
    (
      sender.email.email in map(recipients.to, .email.email)
      and sum([
                length(recipients.bcc),
                length(recipients.to),
                length(recipients.cc)
              ]
      ) == 1
    )
    or length(recipients.to) == 0
    or all(recipients.to, .email.email is null or .email.email == "")
  )
)

// lack a previous thread with sharepoint stuff
and not any([body.current_thread.text, body.html.display_text, body.plain.raw],
            3 of (
              strings.icontains(., "from:"),
              strings.icontains(., "to:"),
              strings.icontains(., "sent:"),
              strings.icontains(., "date:"),
              strings.icontains(., "cc:"),
              strings.icontains(., "subject:")
            )
            and regex.icontains(.,
                                '(?:from|to|sent|date|cc|subject|wrote):.*shared with you',
                                '(?:from|to|sent|date|cc|subject|wrote):.*shared the folder .* with you',
                                '(?:from|to|sent|date|cc|subject|wrote):.*invited you to view a file',
            )
)

// negate bouncebacks and undeliverables
and not any(attachments,
            .content_type in (
              "message/global-delivery-status",
              "message/delivery-status"
            )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started