General
This rule detects when a user shares files with an unusually large number of external users within a short timeframe. The detection triggers when 100 or more external recipients receive file shares within 45 minutes, which is highly indicative of compromise. This pattern is commonly observed in Adversary-in-the-Middle (AiTM) attacks where compromised accounts are used to distribute malicious documents containing links to additional phishing sites.
Rationale
Mass sharing of documents to external users is a classic indicator of account compromise, particularly in AiTM attack scenarios. When attackers gain access to a user's account, they often leverage the victim's trusted position and contact list to spread malicious content. The shared documents typically contain links to phishing sites designed to harvest additional credentials, creating a chain of compromises.
This attack pattern is particularly effective because:
- Trust exploitation: Recipients are more likely to open documents from known contacts
- Credential harvesting: Documents contain links to AiTM sites designed to steal authentication tokens
- Lateral movement: Each compromised account expands the attacker's reach within and across organizations
- Persistence: Multiple compromised accounts provide redundant access points
The detection threshold of 100+ external shares within 45 minutes is specifically tuned to catch automated malicious activity while minimizing false positives from legitimate bulk sharing scenarios.
Follow-up
Follow these steps to adequately address this detection:
-
Immediately validate with the user whether they deliberately shared files with this many external recipients:
-
If no: Treat as confirmed compromise and execute immediate containment:
- Disable the user account immediately to prevent further malicious activity
- Revoke all active sessions for the compromised account
- Reset the user's password and require MFA setup
- Remove or restrict access to the shared documents to prevent further infection
-
Investigate the shared content:
- Download and analyze the shared documents for malicious links
- Identify any embedded URLs pointing to suspicious domains
- Check if the document contains AiTM phishing links
- Verify file types - executables (.exe), scripts (.ps1, .js), or HTML files are particularly suspicious
-
Analyze the recipient list:
- Were recipients from the user's contacts or random external addresses?
- Check if any recipients have reported suspicious activity
- Identify if any recipient organizations should be notified
-
Timeline analysis:
- When did the account compromise likely occur?
- Were there suspicious login attempts or unusual access patterns?
- What other activities occurred during the compromise window?
-
If no: Treat as confirmed compromise and execute immediate containment:
Attic FIX
An automated fix is available to immediately disable the compromised account and revoke all active sessions. This remediation will:
- Disable the user account to prevent further malicious activity
- Terminate all active sessions to break any ongoing attacker access
- Require manual re-enablement after security review
For comprehensive incident response including malware analysis, threat intelligence correlation, and victim notification, contact Attic for Tier2 investigation support via our IR strippenkaart service.
Comments
0 comments
Please sign in to leave a comment.