heroui logo

Attachment: Microsoft SharePoint Impersonation via images in macro-enabled attachment

Sublime Rules

View Source
Summary
This rule detects inbound macro-enabled Office documents (e.g., .docx) attached to emails that contain embedded images whose text mimics Microsoft SharePoint file-sharing notifications. It targets macro-enabled attachments and applies image content analysis (OCR) to the embedded images. If OCR results contain phrases associated with SharePoint collaboration prompts such as inviting to edit or describing access controls, the rule flags potential credential phishing rooted in brand impersonation. The approach combines file/attachment analysis, macro analysis, and OCR to identify social-engineering content designed to deceive recipients into trusting and opening the attachment.
Categories
  • Endpoint
  • Web
  • Application
  • Other
Data Sources
  • File
  • Image
Created: 2026-07-17