From 7ab74a78174293954773ebb20a5ae3ca03ec2fe0 Mon Sep 17 00:00:00 2001
From: Peter Djordjevic <116412909+peterdj45@users.noreply.github.com>
Date: Wed, 31 Dec 2025 01:35:56 -0800
Subject: [PATCH] Enhance detection rules for SharePoint credential theft

---
 .../impersonation_sharepoint_body_credential_theft.yml     | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/detection-rules/impersonation_sharepoint_body_credential_theft.yml b/detection-rules/impersonation_sharepoint_body_credential_theft.yml
index 2fed94f08d4..7afcb061aa7 100644
--- a/detection-rules/impersonation_sharepoint_body_credential_theft.yml
+++ b/detection-rules/impersonation_sharepoint_body_credential_theft.yml
@@ -20,6 +20,13 @@ source: |
     or regex.icontains(body.html.raw,
                        '<img.*(title=|alt=).share.*src=""'
     ) // broken Sharepoint logo
+    or (
+      strings.icontains(strings.replace_confusables(body.plain.raw), "SharePoint")
+      // message body references file deletion
+      and regex.icontains(body.plain.raw,
+                          '(expired )?file\s(was|has been|will be|scheduled (for|to be))\s?delet(ed|ion)'
+      )
+    )
   )
   and (
     (