Low Severity

Link: Secure SharePoint file share from new or unusual sender

Description

This ASR rule detects the use of secure SharePoint links which require recipient verifcation before allowing access to the shared file. This has been observed as a method of evading automated analysis of the shared files' content.

References

No references.

Sublime Security
Created Jul 3rd, 2024 • Last updated Jun 10th, 2025
Source
type.inbound
// SharePoint email indicators
and strings.like(body.current_thread.text,
                 "*shared a file with you*",
                 "*shared with you*",
                 "*invited you to access a file*"
)
and strings.icontains(subject.subject, "shared")
// the Sharepoint file has been "Protected"
and any([body.plain.raw, body.current_thread.text],
        strings.icontains(.,
                          "This link only works for the direct recipients of this message"
        )
)
and any(body.links, .href_url.domain.root_domain == "sharepoint.com")

// sender is uncommon
and (
  (
    profile.by_sender().prevalence in ("new", "rare", "outlier")
    and not profile.by_sender().solicited
  )
  // or the reply-to address has never sent an email to the org
  or (
    sender.email.domain.root_domain == "sharepointonline.com"
    and beta.profile.by_reply_to().prevalence == "new"
  )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.