sublime-security · zoomequipd · Jan 13, 2025 · Jan 13, 2025 · Jan 14, 2025 · Jan 14, 2025
@@ -0,0 +1,79 @@
+name: "Impersonation: SharePoint Reply Header Anomaly"
+description: "Detects messages with SharePoint reply headers that lack standard reply characteristics and contain inconsistencies in thread elements and recipient patterns"
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  // appears to be a reply 
+  and strings.istarts_with(headers.in_reply_to, '<Share-')
+  and strings.ends_with(headers.in_reply_to, '@odspnotify>')
+  and ( // but lacks other reply elements
+    not (
+      (
+        strings.istarts_with(subject.subject, "RE:")
+        or strings.istarts_with(subject.subject, "RES:")
+        or strings.istarts_with(subject.subject, "R:")
+        or strings.istarts_with(subject.subject, "ODG:")
+        or strings.istarts_with(subject.subject,
+                                "答复:"
+        ) // response
+        or strings.istarts_with(subject.subject,
+                                "回复:"
+        ) // reply
+        or strings.istarts_with(subject.subject, "AW:")
+        or strings.istarts_with(subject.subject, "TR:")
+        or strings.istarts_with(subject.subject, "FWD:")
+        or strings.istarts_with(subject.subject, "Resposta automática:")
+        or strings.istarts_with(subject.subject, "Automatische Antwort:")
+        or strings.istarts_with(subject.subject, "Autosvar:")
+        or regex.icontains(subject.subject,
+                           '^(?:(?:\[[^\]]+\]\s?|EXT(?:ERNAL)?\s?){0,3}|[[:punct:]]{0,3}\w+[[:punct:]]{0,3}\s)(?:r[ev]|fwd?|automat(ic|ed) reply)\s?:'
+        )
+      )
+    )
+    // the sender is the recipient 
+    // or the recipients are hidden
+    or (
+      sender.email.email in map(recipients.to, .email.email)
+      or length(recipients.to) == 0
+      or all(recipients.to, .email.email is null or .email.email == "")
+    )
+  )
+
+  // lack a previous thread with sharepoint stuff
+  and not any([body.current_thread.text, body.html.display_text, body.plain.raw],
+              3 of (
+                strings.icontains(., "from:"),
+                strings.icontains(., "to:"),
+                strings.icontains(., "sent:"),
+                strings.icontains(., "date:"),
+                strings.icontains(., "cc:"),
+                strings.icontains(., "subject:")
+              )
+              and regex.icontains(.,
+                                  '(?:from|to|sent|date|cc|subject|wrote):.*shared with you',
+                                  '(?:from|to|sent|date|cc|subject|wrote):.*shared the folder .* with you',
+                                  '(?:from|to|sent|date|cc|subject|wrote):.*invited you to view a file',
+
+              )
+  )
+
+  // // negate bouncebacks and undeliverables
+  and not any(attachments,
+              .content_type in (
+                "message/global-delivery-status",
+                "message/delivery-status"
+              )
+  )
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Social engineering"
+  - "Impersonation: Brand"
+  - "Evasion"
+  - "Spoofing"
+detection_methods:
+  - "Header analysis"
+  - "Content analysis"
+  - "Sender analysis"
+id: "78875848-71ba-5685-ba1c-00c5269cad23"