From c680c5ed42937a61578ae467c1e542c61b7ad2f1 Mon Sep 17 00:00:00 2001
From: Sublime Rule Testing Bot <hello@sublimesecurity.com>
Date: Wed, 15 Jan 2025 00:01:27 +0000
Subject: [PATCH] Sync from PR#2307

Create impersonation_sharepoint_reply_headers.yml by @zoomequipd
https://github.com/sublime-security/sublime-rules/pull/2307
Source SHA 0e1cbf3607c85bacd8662040a226d39c249b7b92
Triggered by @zoomequipd
---
 detection-rules/impersonation_sharepoint_reply_headers.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/detection-rules/impersonation_sharepoint_reply_headers.yml b/detection-rules/impersonation_sharepoint_reply_headers.yml
index f95b2466593..3244fe10dbd 100644
--- a/detection-rules/impersonation_sharepoint_reply_headers.yml
+++ b/detection-rules/impersonation_sharepoint_reply_headers.yml
@@ -2,7 +2,7 @@ name: "Impersonation: SharePoint Reply Header Anomaly"
 description: "Detects messages with SharePoint reply headers that lack standard reply characteristics and contain inconsistencies in thread elements and recipient patterns"
 type: "rule"
 severity: "medium"
-source: "type.inbound\n// appears to be a reply \nand strings.istarts_with(headers.in_reply_to, '<Share-')\nand strings.ends_with(headers.in_reply_to, '@odspnotify>')\nand ( // but lacks other reply elements\n  not (\n    (\n      strings.istarts_with(subject.subject, \"RE:\")\n      or strings.istarts_with(subject.subject, \"R:\")\n      or strings.istarts_with(subject.subject, \"ODG:\")\n      or strings.istarts_with(subject.subject,\n                              \"答复:\"\n      ) // response\n      or strings.istarts_with(subject.subject,\n                              \"回复:\"\n      ) // reply\n      or strings.istarts_with(subject.subject, \"AW:\")\n      or strings.istarts_with(subject.subject, \"TR:\")\n      or strings.istarts_with(subject.subject, \"FWD:\")\n      or strings.istarts_with(subject.subject, \"Resposta automática:\")\n      or regex.icontains(subject.subject,\n                         '^(\\[[^\\]]+\\]\\s?){0,3}(?:r[ev]|fwd?|automat(ic|ed) reply)\\s?:'\n      )\n    )\n  )\n  // the sender is the recipient \n  // or the recipients are hidden\n  or (\n    sender.email.email in map(recipients.to, .email.email)\n    or length(recipients.to) == 0\n    or all(recipients.to, .email.email is null or .email.email == \"\")\n  )\n)\n\n// lack a previous thread with sharepoint stuff\nand not any([body.current_thread.text, body.html.display_text, body.plain.raw],\n        3 of (\n        strings.icontains(., \"from:\"),\n        strings.icontains(., \"to:\"),\n        strings.icontains(., \"sent:\"),\n        strings.icontains(., \"date:\"),\n        strings.icontains(., \"cc:\"),\n        strings.icontains(., \"subject:\")\n        )\n        and regex.icontains(.,\n                                '(?:from|to|sent|date|cc|subject|wrote):.*shared with you'\n                )\n)\n\n// // negate bouncebacks and undeliverables\nand not any(attachments,\n            .content_type in (\n              \"message/global-delivery-status\",\n              \"message/delivery-status\"\n            )\n)\n"
+source: "type.inbound\n// appears to be a reply \nand strings.istarts_with(headers.in_reply_to, '<Share-')\nand strings.ends_with(headers.in_reply_to, '@odspnotify>')\nand ( // but lacks other reply elements\n  not (\n    (\n      strings.istarts_with(subject.subject, \"RE:\")\n      or strings.istarts_with(subject.subject, \"RES:\")\n      or strings.istarts_with(subject.subject, \"R:\")\n      or strings.istarts_with(subject.subject, \"ODG:\")\n      or strings.istarts_with(subject.subject,\n                              \"答复:\"\n      ) // response\n      or strings.istarts_with(subject.subject,\n                              \"回复:\"\n      ) // reply\n      or strings.istarts_with(subject.subject, \"AW:\")\n      or strings.istarts_with(subject.subject, \"TR:\")\n      or strings.istarts_with(subject.subject, \"FWD:\")\n      or strings.istarts_with(subject.subject, \"Resposta automática:\")\n      or strings.istarts_with(subject.subject, \"Automatische Antwort:\")\n      or strings.istarts_with(subject.subject, \"Autosvar:\")\n      or regex.icontains(subject.subject,\n                         '^(\\[[^\\]]+\\]\\s?){0,3}(?:r[ev]|fwd?|automat(ic|ed) reply)\\s?:'\n      )\n    )\n  )\n  // the sender is the recipient \n  // or the recipients are hidden\n  or (\n    sender.email.email in map(recipients.to, .email.email)\n    or length(recipients.to) == 0\n    or all(recipients.to, .email.email is null or .email.email == \"\")\n  )\n)\n\n// lack a previous thread with sharepoint stuff\nand not any([body.current_thread.text, body.html.display_text, body.plain.raw],\n        3 of (\n        strings.icontains(., \"from:\"),\n        strings.icontains(., \"to:\"),\n        strings.icontains(., \"sent:\"),\n        strings.icontains(., \"date:\"),\n        strings.icontains(., \"cc:\"),\n        strings.icontains(., \"subject:\")\n        )\n        and regex.icontains(.,\n                                '(?:from|to|sent|date|cc|subject|wrote):.*shared with you'\n                )\n)\n\n// // negate bouncebacks and undeliverables\nand not any(attachments,\n            .content_type in (\n              \"message/global-delivery-status\",\n              \"message/delivery-status\"\n            )\n)\n"
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques:
@@ -16,4 +16,4 @@ detection_methods:
   - "Sender analysis"
 id: "78875848-71ba-5685-ba1c-00c5269cad23"
 testing_pr: 2307
-testing_sha: e74b2ac176175c20a06561144f925a01143d3705
+testing_sha: 0e1cbf3607c85bacd8662040a226d39c249b7b92