• Sublime Core Feed
Low Severity

Link: SharePoint files shared from GoDaddy federated tenants

Labels

Credential Phishing
Evasion
Sender analysis
URL analysis

Description

This matches on inbound Shared File notiifcation emails from Microsoft, where any link to SharePoint contains a default GoDaddy Federated Tenant Name. These have been observed being frequently abused to send credential phishing campaigns.

References

No references.

Sublime Security
Created Jul 3rd, 2024 • Last updated Jul 16th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
// Matches the message id observed. DKIM/SPF domains can be custom and therefore are unpredictable.
and strings.starts_with(headers.message_id, '<Share-')
and strings.ends_with(headers.message_id, '@odspnotify>')

// subject matches the default "shared <filename> with you" format
and strings.ends_with(subject.subject, ' with you')

// any of the links are the default netorgft name from GoDaddy
and any(body.links,
        // Default GoDaddy tenant names
        strings.starts_with(.href_url.domain.subdomain, 'netorg')
        and .href_url.domain.root_domain == "sharepoint.com"
)

// and sender has never had email sent to them
and not profile.by_sender().solicited

// and there haven't been any FPs reported for the sender
and not profile.by_sender().any_messages_benign
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started