• Sublime Core Feed
Medium Severity

Sharepoint file share with suspicious recipients pattern

Labels

Credential Phishing
Malware/Ransomware
Evasion
Content analysis
Header analysis
URL analysis

Description

This rule detects messages originating from sharepoint.com with undisclosed recipients that are attempting to solicit the user to click a link. This has been observed in the event of an account compromise where the compromised account was utilizing legitimate file sharing services to share malicious links.

References

No references.

Sublime Security
Created Aug 17th, 2023 • Last updated Mar 27th, 2024
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound

// Suspicious recipient pattern
and any(recipients.to, .display_name == "Undisclosed recipients")
and strings.ilike(body.current_thread.text,
                  "*shared a file with you*",
                  "*shared with you*",
                  "*invited you to access a file*"
)
and strings.icontains(subject.subject, "shared")
and any(body.links, .href_url.domain.root_domain == "sharepoint.com")
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started