• Sublime Core Feed
Low Severity

Link: Suspicious SharePoint document name

Labels

Credential Phishing
Free file host
Evasion
Content analysis

Description

The detection rule is intended to match on emails sent from SharePoint indicating a shared file to the recipient that contain suspicious content within the document name. The Link display text is leveraged to identify the name of the shared file.

References

No references.

Sublime Security
Created Jul 19th, 2024 • Last updated Aug 5th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and strings.ilike(subject.subject, "*shared*", "*invit*")
and strings.ilike(body.current_thread.text,
                  "*shared a file with you*",
                  "*shared with you*",
                  "*invited you to access a file*"
)
and not strings.ilike(body.current_thread.text, "invited you to edit")
and (
  // use the display text of the link to determine the name of the file
  any(filter(body.links,
             (
               .href_url.domain.root_domain == "sharepoint.com"
               or .href_url.domain.root_domain == "1drv.ms"
               // handle urls with mimecast rewriting
               or (
                 .href_url.domain.root_domain == 'mimecastprotect.com'
                 and strings.icontains(.href_url.query_params,
                                       '.sharepoint.com'
                 )
               )
             )
             and .display_text != "Open"
      ),

      // the file name does not include lowercase letters, while allowing for non letter chars
      regex.match(.display_text, '^[^a-z]+$')

      // file sharing service references
      or strings.icontains(.display_text, 'dropbox')
      or strings.icontains(.display_text, 'docusign')

      // file name lures
      // secure theme
      or regex.icontains(.display_text, 'secured?.*(?:file|document|docs|fax)')
      or regex.icontains(.display_text, 'important.*(?:file|document|docs|fax)')
      or regex.icontains(.display_text, 'shared?.*(?:file|document|docs|fax)')
      or regex.icontains(.display_text, 'protected.*(?:file|document|docs|fax)')
      or regex.icontains(.display_text, 'encrypted.*(?:file|document|docs|fax)')

      // scanner theme
      or strings.icontains(.display_text, 'scanne[rd]_')
      // image themed
      or strings.icontains(.display_text, '_IMG_')
      or regex.icontains(.display_text, '^IMG[_-](?:\d|\W)+$')

      // digits
      or regex.icontains(.display_text, 'doc(?:ument)?\s?\d+$')
      or regex.icontains(.display_text, '^\d+$')

      // onedrive theme
      or strings.icontains(.display_text, 'one_docx')
      or strings.icontains(.display_text, 'OneDrive')
      or regex.icontains(.display_text, 'A document.*One.?Drive')

      // action in file name
      or strings.icontains(.display_text, 'click here')
      or strings.icontains(.display_text, 'Download PDF')
      or strings.icontains(.display_text, 'Validate')

      // limited file name to "confidential"
      or .display_text =~ 'Confidentiality'
      or .display_text =~ 'Confidential'

      // invoice themes
      or any(ml.nlu_classifier(.display_text).entities, .name == "financial")
      or strings.icontains(.display_text, 'payment')
      or strings.icontains(.display_text, 'invoice')
      or regex.icontains(.display_text, 'INV(?:_|\s)?\d+$')
      // starts with INV_ or INV\x20
      or regex.icontains(.display_text, '^INV(?:_|\s)')
      or regex.icontains(.display_text, 'P[O0]\W+?\d+$')
      or strings.icontains(.display_text, 'receipt')
      or strings.icontains(.display_text, 'billing')
      or (
        strings.icontains(.display_text, 'statement')
        and not .display_text =~ "Privacy Statement"
      )
      or strings.icontains(.display_text, 'Past Due')
      or regex.icontains(.display_text, 'Remit(tance)?')
      or strings.icontains(.display_text, 'Purchase Order')

      // contract language
      or strings.icontains(.display_text, 'settlement')
      or strings.icontains(.display_text, 'contract agreement')
      or regex.icontains(.display_text, 'Pr[0o]p[0o]sal')
      or strings.icontains(.display_text, 'contract doc')

      // generic document name AND additional suspicious indicator
      or (
          regex.imatch(.display_text, 'documents?')
          and (
              // Find the share comment in the HTML and check for reply/forward "impersonation"
              regex.icontains(body.html.raw, '<p style="font-size:16px;color:#323130;margin:40px 20px 28px">(re|fwd?)')
          )
      )
        
      // Payroll/HR
      // section also used in abuse_dropbox_sus_names.yml with modified input
      or strings.icontains(.display_text, 'Payroll')
      or strings.icontains(.display_text, 'Employee Pay\b')
      or strings.icontains(.display_text, 'Salary')
      or strings.icontains(.display_text, 'Benefit Enrollment')
      or strings.icontains(.display_text, 'Employee Handbook')
      or strings.icontains(.display_text, 'Reimbursement Approved')
      or regex.icontains(.display_text, '(?:Faculty|Staff)\s*(?:\w+\s+){0,3}\s*Eval(?:uation)?')
  )
)

// and it's not an internal share
and not any(headers.hops,
            any(.fields,
                .name == "X-MS-Exchange-CrossTenant-AuthAs"
                and .value == "Internal"
            )
)
and (
  // and sender has never had email sent to them
  profile.by_sender().solicited == false
  // often times no-reply is soliticed due to various behaviors
  or sender.email.email == "no-reply@sharepointonline.com"
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started