• Sublime Core Feed
Medium Severity

Suspicious SharePoint File Sharing

Labels

Credential Phishing
Free email provider
Free file host
OneNote
PDF
Content analysis
Header analysis
Sender analysis
URL analysis

Description

This rule detect potential credential phishing leveraging SharePoint file sharing to deliver a PDF, OneNote, or Unknown file type file using indicators such as suspicious sender analysis and link characteristics.

References

No references.

Sublime Security
Created Jul 19th, 2024 • Last updated Apr 11th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound

// Matches the message id observed. DKIM/SPF domains can be custom and therefore are unpredictable.
and strings.starts_with(headers.message_id, '<Share-')
and strings.ends_with(headers.message_id, '@odspnotify>')

// SharePoint email indicators
and strings.like(body.current_thread.text,
                 "*shared a file with you*",
                 "*shared with you*",
                 "*invited you to access a file*"
)
and strings.icontains(subject.subject, "shared")

// sender analysis 
and (
  (
    // if the sender is not the sharepointonline.com, we can use the sender email
    // to see if it is a solicited email
    sender.email.domain.domain != "sharepointonline.com"
    and not profile.by_sender().solicited
  )
  // if it is the sharepointonline sender, use the reply-to header
  or (
    sender.email.domain.domain =~ "sharepointonline.com"
    and length(headers.reply_to) > 0
    and 
    // a newly created domain
    (
      all(headers.reply_to,
          .email.domain.root_domain not in $free_email_providers
          and network.whois(.email.domain).days_old <= 30
          and .email.email != sender.email.email
      )

      // is a free email provider
      or all(headers.reply_to,
             .email.domain.root_domain in $free_email_providers
      )

      //
      // This rule makes use of a beta feature and is subject to change without notice
      // using the beta feature in custom rules is not suggested until it has been formally released
      //
      
      // no outbound emails 
      or not beta.profile.by_reply_to().solicited
    )
    // do not match if the reply_to address has been observed as a reply_to address
    // of a message that has been classified as benign
    and not beta.profile.by_reply_to().any_messages_benign
  )
)
// link logic
and any(body.links,
        .href_url.domain.root_domain == "sharepoint.com"
        // it is a personal share
        and (
          // /g/ is only found with /personal
          strings.icontains(.href_url.path, '/g/personal/')
          or strings.icontains(.href_url.path, '/p/')
        )
        // it is either a OneNote or PDF
        and (
          strings.icontains(.href_url.path, '/:o:/')
          or strings.icontains(.href_url.path, '/:b:/')
          or strings.icontains(.href_url.path, '/:u:/')
        )
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started