1+ name : " Brand impersonation: SharePoint PDF attachment with credential theft language"
2+ description : " PDF attachment contains SharePoint logo and high-confidence credential theft language detected via OCR analysis. The attachment includes URLs and originates from an unsolicited or low-reputation sender, excluding legitimate SharePoint file sharing notifications."
3+ type : " rule"
4+ severity : " medium"
5+ source : |
6+ type.inbound
7+ and (
8+ any(attachments,
9+ (
10+ .file_type == "pdf"
11+ and any(ml.logo_detect(.).brands, .name == "Microsoft SharePoint")
12+ and any(file.explode(.), length(.scan.url.urls) > 0)
13+ and any(file.explode(.),
14+ any(ml.nlu_classifier(.scan.ocr.raw).intents,
15+ .name == "cred_theft" and .confidence == "high"
16+ )
17+ )
18+ )
19+ )
20+ )
21+ // negate sharepoint file share
22+ and not (
23+ // based on the message id format
24+ (
25+ (
26+ strings.starts_with(headers.message_id, '<Share-')
27+ and strings.ends_with(headers.message_id, '@odspnotify>')
28+ )
29+ or // negate legitimate access request to file
30+ (
31+ strings.starts_with(headers.message_id, '<Sharing')
32+ and strings.ends_with(headers.message_id, '@odspnotify>')
33+ )
34+ // deal with Google thinking the message ID is "broke"
35+ or (
36+ strings.icontains(headers.message_id, 'SMTPIN_ADDED_BROKEN')
37+ and any(headers.hops,
38+ any(.fields,
39+ .name == "X-Google-Original-Message-ID"
40+ and strings.starts_with(.value, '<Share-')
41+ and strings.ends_with(.value, '@odspnotify>')
42+ )
43+ )
44+ )
45+ )
46+ // all of the "action" links are sharepoint/ms
47+ and all(filter(body.links,
48+ strings.icontains(subject.subject, .display_text)
49+ or .display_text == "Open"
50+ ),
51+ .href_url.domain.root_domain in ("sharepoint.com")
52+ or (
53+ .href_url.domain.tld == "ms"
54+ // Microsoft does not own the .ms TLD, this checks to ensure it is one of their domains
55+ and (
56+ network.whois(.href_url.domain).registrant_company == "Microsoft Corporation"
57+ or strings.ilike(network.whois(.href_url.domain).registrar_name,
58+ "*MarkMonitor*",
59+ "*CSC Corporate*",
60+ "*com laude*"
61+ )
62+ )
63+ )
64+ )
65+ )
66+ and not (
67+ (
68+ (subject.is_reply or subject.is_forward)
69+ and (
70+ (length(headers.references) > 0 or headers.in_reply_to is not null)
71+ // ensure that there are actual threads
72+ and (
73+ length(body.previous_threads) > 0
74+ or (length(body.html.display_text) - length(body.current_thread.text)) > 200
75+ )
76+ )
77+ )
78+ )
79+ and (
80+ profile.by_sender_email().prevalence != 'common'
81+ or not profile.by_sender_email().solicited
82+ or profile.by_sender().any_messages_malicious_or_spam
83+ )
84+ and not profile.by_sender().any_messages_benign
85+
86+ // negate highly trusted sender domains unless they fail DMARC authentication
87+ and (
88+ (
89+ sender.email.domain.root_domain in $high_trust_sender_root_domains
90+ and not headers.auth_summary.dmarc.pass
91+ )
92+ or sender.email.domain.root_domain not in $high_trust_sender_root_domains
93+ )
94+
95+ attack_types :
96+ - " Credential Phishing"
97+ tactics_and_techniques :
98+ - " Impersonation: Brand"
99+ - " Social engineering"
100+ - " PDF"
101+ - " Evasion"
102+ detection_methods :
103+ - " Computer Vision"
104+ - " File analysis"
105+ - " Natural Language Understanding"
106+ - " Optical Character Recognition"
107+ - " Sender analysis"
108+ - " URL analysis"
109+ - " Header analysis"
110+ - " Whois"
111+ id : " 7c1528a6-d43a-5a0e-bb3f-8e642562a2f7"
112+ og_id : " ae3756fa-3751-5fba-b68d-d91164fd359c"
113+ testing_pr : 3486
114+ testing_sha : f33f1566624b885b185b895f19b606fabcfea537
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?v=4&size=40){kind=avatar}
0 commit comments