Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update link_sharepoint_sus_name.yml #2317

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Update link_sharepoint_sus_name.yml #2317

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d7a4ee0
Update link_sharepoint_sus_name.yml
aidenmitchell Jan 16, 2025
7569d0d
Update link_sharepoint_sus_name.yml
aidenmitchell Jan 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
86 changes: 75 additions & 11 deletions detection-rules/link_sharepoint_sus_name.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,14 +89,16 @@ source: |
or strings.icontains(.display_text, 'contract agreement')
or regex.icontains(.display_text, 'Pr[0o]p[0o]sal')
or strings.icontains(.display_text, 'contract doc')

// generic document name AND additional suspicious indicator
or (
regex.imatch(.display_text, 'documents?')
and (
// Find the share comment in the HTML and check for reply/forward "impersonation"
regex.icontains(body.html.raw, '<p style="font-size:16px;color:#323130;margin:40px 20px 28px">(re|fwd?)')
regex.imatch(.display_text, 'documents?')
and (
// Find the share comment in the HTML and check for reply/forward "impersonation"
regex.icontains(body.html.raw,
'<p style="font-size:16px;color:#323130;margin:40px 20px 28px">(re|fwd?)'
)
)
)

// the document name is the same as the org name
Expand Down Expand Up @@ -144,16 +146,78 @@ source: |
)
)

// and it's not an internal share
and not any(headers.hops,
any(.fields,
.name == "X-MS-Exchange-CrossTenant-AuthAs"
and .value == "Internal"
// and the sharepoint link is not related to the recipient domain
and (
any(filter(body.links, .href_url.domain.root_domain == 'sharepoint.com'),
any(recipients.to,
// Normalize Levenshtein distance by string length (0 = identical, 0.7+ = different)
// Working with what we have in MQL, considering we dont have max() or any other forms of string distancing
(
(
strings.iends_with(..href_url.domain.subdomain,
'-my'
) // common Sharepoint subdomain suffix
and (
(
strings.ilevenshtein(..href_url.domain.subdomain,
.email.domain.sld
) - 3 // subtract aforementioned suffix for more accurate calculation
) / (
(
(length(..href_url.domain.subdomain) - 3) + length(.email.domain.sld
)
+ (
(
(length(..href_url.domain.subdomain) - 3) - length(.email.domain.sld
)
) + (
length(.email.domain.sld) - (
length(..href_url.domain.subdomain) - 3
)
)
)
) / 2.0 // to ensure we keep the result as a float
)
) > 0.7 // customizable threshold
)
or (
not strings.iends_with(..href_url.domain.subdomain,
'-my'
) // no suffix, continue with original calculation
and (
strings.ilevenshtein(..href_url.domain.subdomain,
.email.domain.sld
) / (
(
length(..href_url.domain.subdomain) + length(.email.domain.sld
)
+ (
(
length(..href_url.domain.subdomain) - length(.email.domain.sld
)
) + (
length(.email.domain.sld) - length(..href_url.domain.subdomain
)
)
)
) / 2.0 // to ensure we keep the result as a float
)
) > 0.7 // customizable threshold
)
)
and not strings.icontains(..href_url.path,
strings.concat(.email.domain.sld,
"_",
.email.domain.tld
)
) // negate sharepoint links that contain recipientdomain_com
)
)
or length(filter(body.links, .href_url.domain.root_domain == 'sharepoint.com')
) == 0 // ignore this logic if it's not an explicit sharepoint.com share
)
// and sender has never had email sent to them
and not profile.by_sender().solicited

attack_types:
- "Credential Phishing"
tactics_and_techniques:
Expand Down
Loading