Medium Severity

Link: SharePoint OneNote or PDF link with self sender behavior

Labels

Credential Phishing

Evasion

Description

Detects messages where the sender and recipient are the same address, containing SharePoint links to OneNote or PDF files, with minimal attachments and non-standard message IDs indicating potential abuse of SharePoint services for malicious purposes.

References

No references.

Sublime Security

Created Feb 27th, 2026 • Last updated Feb 27th, 2026

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
// self sender
and length(recipients.to) == 1
and recipients.to[0].email.email == sender.email.email
// single link to sharepoint
and length(filter(body.current_thread.links,
                  .href_url.domain.root_domain == 'sharepoint.com'
                  // it is either a OneNote or PDF file, or unknown
                  and regex.icontains(.href_url.path,
                                      '\/:[obu]:\/(?:p|g\/personal)'
                  )
           )
) == 1
// only one link to sharepoint
and length(filter(body.current_thread.links,
                  .href_url.domain.root_domain == 'sharepoint.com'
           )
) == 1
// not sent via sharepoint
and not strings.starts_with(headers.message_id, '<Share-')
and not strings.ends_with(headers.message_id, '@odspnotify>')
// 0 or 1 attachments (this reduces FPs which had many attachments)
and length(attachments) - length(filter(attachments,
                                        strings.contains(body.html.raw,
                                                         strings.concat('src="cid:',
                                                                        .content_id
                                                         )
                                        )
                                 )
) <= 1

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started