Skip to content

Update Suspicious SharePoint document name#3965

Merged
IndiaAce merged 5 commits intomainfrom
india.ESC-6676.sus_doc_name_new_pattern
Feb 13, 2026
Merged

Update Suspicious SharePoint document name#3965
IndiaAce merged 5 commits intomainfrom
india.ESC-6676.sus_doc_name_new_pattern

Conversation

@IndiaAce
Copy link
Copy Markdown
Member

@IndiaAce IndiaAce commented Feb 5, 2026
edited
Loading

Description

Adding newly observed pattern

Associated samples

Associated hunts

Why am I removing .name == "X-MS-Exchange-CrossTenant-AuthAs" check?

In instances where the sender does not have an MS Exchange account, msft will send the message on the users behalf with a noreply address from Microsoft. This header will be included. This is going to create a fair amount of telemetry so I want to let this sit for a little bit.
hunt

My intention would be to later remove the solicited sender check as well as these are often coming from popped user accounts. But that will be a different PR

@IndiaAce
Update Suspicious SharePoint document name
ab36b7d 
Adding newly observed pattern
@IndiaAce IndiaAce requested a review from a team February 5, 2026 13:51
@IndiaAce IndiaAce requested a review from a team as a code owner February 5, 2026 13:51
@github-actions github-actions Bot added the in-test-rules PR is in our testing suite to collect telemetry label Feb 5, 2026
github-actions Bot added a commit that referenced this pull request Feb 5, 2026
@github-actions
[PR #3965] added rule: Link: Suspicious SharePoint document name
3018493
github-actions Bot added a commit that referenced this pull request Feb 5, 2026
@github-actions
[PR #3965] added rule: PR# 3965 - Link: Suspicious SharePoint documen…
4ba191b 
…t name
IndiaAce and others added 2 commits February 5, 2026 09:26
@IndiaAce
Remove internal share check from detection rule
4ceb2c0 
Remove check for internal SharePoint shares in detection rule.
Auto-format MQL and add rule IDs
a9e00b7
github-actions Bot added a commit that referenced this pull request Feb 5, 2026
@github-actions
[PR #3965] modified rule: PR# 3965 - Link: Suspicious SharePoint docu…
31a6f45 
…ment name
github-actions Bot added a commit that referenced this pull request Feb 5, 2026
@github-actions
[PR #3965] modified rule: Link: Suspicious SharePoint document name
8a82399
@IndiaAce IndiaAce added the review-needed Indicates that a PR is waiting for review label Feb 9, 2026
@IndiaAce
Copy link
Copy Markdown
Member Author

IndiaAce commented Feb 9, 2026
edited
Loading

hunt showing latest exclusive matches on the ms exchange removal... there are some FPs but I'm tolerant of them for the # of FNs we resolve. https://platform.sublime.security/messages/hunt?huntId=019c42a1-be6f-7423-a59e-127b1bc0d9bd

MSAdministrator
MSAdministrator approved these changes Feb 9, 2026
View reviewed changes
Comment thread detection-rules/link_sharepoint_sus_name.yml
@IndiaAce IndiaAce enabled auto-merge February 10, 2026 13:26
@IndiaAce IndiaAce added this pull request to the merge queue Feb 13, 2026
Merged via the queue into main with commit 331b92a Feb 13, 2026
4 checks passed
@IndiaAce IndiaAce deleted the india.ESC-6676.sus_doc_name_new_pattern branch February 13, 2026 15:53
github-actions Bot added a commit that referenced this pull request Feb 13, 2026
@github-actions
[Shared Samples] [PR #3965] Delete detection rule
6ebfe28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zoomequipd zoomequipd zoomequipd approved these changes

@MSAdministrator MSAdministrator MSAdministrator approved these changes

Assignees

No one assigned

Labels

in-test-rules PR is in our testing suite to collect telemetry review-needed Indicates that a PR is waiting for review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@IndiaAce @zoomequipd @MSAdministrator