Low Severity

Link: Secure SharePoint file share from new or unusual sender

Labels

Description

This ASR rule detects the use of secure SharePoint links which require recipient verifcation before allowing access to the shared file. This has been observed as a method of evading automated analysis of the shared files' content.

References

No references.

Sublime Security

Created Jul 3rd, 2024 • Last updated Sep 5th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
// SharePoint email indicators
and strings.like(body.current_thread.text,
                 "*shared a file with you*",
                 "*shared with you*",
                 "*invited you to access a file*"
)
and strings.icontains(subject.subject, "shared")
// the Sharepoint file has been "Protected"
and any([body.plain.raw, body.current_thread.text],
        strings.icontains(.,
                          "This link only works for the direct recipients of this message"
        )
)
and any(body.links, .href_url.domain.root_domain == "sharepoint.com")

// sender is uncommon
and (
  (
    profile.by_sender_email().prevalence in ("new", "rare", "outlier")
    and not profile.by_sender_email().solicited
  )
  // or the reply-to address has never sent an email to the org
  or (
    sender.email.domain.root_domain == "sharepointonline.com"
    and beta.profile.by_reply_to().prevalence == "new"
  )
  // or the message contains suspect language
  or (
    regex.icontains(body.current_thread.text,
                    '(kindly)'
    )
  )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started