[Shared Samples] [PR #4619] added rule: PR# 4619 - Service abuse: Citrix ShareFile impersonation via Outlook plugin

Author: github-actions[bot]

detection-rules/4619_service_abuse_sharefile_docx_plugin.yml

@@ -0,0 +1,31 @@
+name: "PR# 4619 - Service abuse: Citrix ShareFile impersonation via Outlook plugin"
+description: "Detects inbound messages with Word document attachments containing references to sharefile.com and Outlook plugin system indicators, suggesting abuse of legitimate file sharing services to deliver malicious content."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and any(attachments,
+          .file_type in ("doc", "docx")
+          and any(file.explode(.),
+                  strings.icontains(.scan.strings.raw, "sharefile.com")
+                  and strings.icontains(.scan.strings.raw,
+                                        "src=system-email-outlookplugin-new"
+                  )
+          )
+  )  
+attack_types:
+  - "BEC/Fraud"
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Free file host"
+  - "Social engineering"
+detection_methods:
+  - "File analysis"
+  - "Content analysis"
+id: "a9f43f1c-ba6d-5a32-9c77-70fd4cd877cd"
+tags:
+  - created_from_open_prs
+  - rule_status_added
+  - pr_author_markmsublime
+references:
+  - https://github.com/sublime-security/sublime-rules/pull/4619