• Sublime Core Feed
Low Severity

Link: Secure SharePoint file share from new or unusual sender

Labels

Credential Phishing
Free file host
Evasion
Content analysis
Sender analysis

Description

This ASR rule detects the use of secure SharePoint links which require recipient verifcation before allowing access to the shared file. This has been observed as a method of evading automated analysis of the shared files' content.

References

No references.

Sublime Security
Created Jul 3rd, 2024 • Last updated Jul 9th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
// SharePoint email indicators
and strings.like(body.current_thread.text,
                 "*shared a file with you*",
                 "*shared with you*",
                 "*invited you to access a file*"
)
and strings.icontains(subject.subject, "shared")
// the Sharepoint file has been "Protected"
and any([body.plain.raw, body.current_thread.text],
        strings.icontains(.,
                          "This link only works for the direct recipients of this message"
        )
)
and any(body.links, .href_url.domain.root_domain == "sharepoint.com")

// sender is uncommon
and (
  (
    profile.by_sender().prevalence in ("new", "rare", "outlier")
    and not profile.by_sender().solicited
  )
  // or the reply-to address has never sent an email to the org
  or (
    sender.email.domain.root_domain == "sharepointonline.com"
    and beta.profile.by_reply_to().prevalence == "new"
  )
  // or the message contains suspect language
  or (
    regex.icontains(body.current_thread.text,
                    '(kindly)'
    )
  )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started