Suspicious Download from Office Domain

Title: Suspicious Download from Office Domain
Status: test
Description:Detects suspicious ways to download files from Microsoft domains that are used to store attachments in Emails or OneNote documents
References:
  -https://twitter.com/an0n_r0/status/1474698356635193346?s=12
  -https://twitter.com/mrd0x/status/1475085452784844803?s=12
Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
Date: 2021-12-27
modified:2022-08-02
Tags:

• -'attack.command-and-control'
• -'attack.t1105'
• -'attack.t1608'

Logsource:

• product: windows
• category: process_creation

Detection:
  selection_download:
    - Image|endswith:
      - '\curl.exe'
      - '\wget.exe'
    - CommandLine|contains:
      - 'Invoke-WebRequest'
      - 'iwr '
      - 'curl '
      - 'wget '
      - 'Start-BitsTransfer'
      - '.DownloadFile('
      - '.DownloadString('
  selection_domains:
    CommandLine|contains:
      -'https://attachment.outlook.live.net/owa/'
      -'https://onenoteonlinesync.onenote.com/onenoteonlinesync/'

  condition:all of selection_*
Falsepositives:
  -Scripts or tools that download attachments from these domains (OneNote, Outlook 365)
Level: high