LoFP / scripts or tools that download attachments from these domains (onenote, outlook 365)

Techniques

Sample rules

Suspicious Download from Office Domain

source: sigma
technicques:
- t1105
- t1608

Description

Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents

Detection logic

condition: all of selection_*
selection_domains:
  CommandLine|contains:
  - https://attachment.outlook.live.net/owa/
  - https://onenoteonlinesync.onenote.com/onenoteonlinesync/
selection_download:
- Image|endswith:
  - \curl.exe
  - \wget.exe
- CommandLine|contains:
  - Invoke-WebRequest
  - 'iwr '
  - 'curl '
  - 'wget '
  - Start-BitsTransfer
  - .DownloadFile(
  - .DownloadString(