sublimemediumRule

Sendgrid onmicrosoft.com domain phishing

The message originates from an onmicrosoft.com email address being sent via Sendgrid.

MITRE ATT&CK

T1566 T1566.001 T1566.002 T1598 T1036 T1027

defense-evasion

Detection Query

type.inbound
and headers.return_path.domain.domain == "sendgrid.net"
and sender.email.domain.root_domain == "onmicrosoft.com"
and not strings.like(sender.email.local_part,
                     "*postmaster*",
                     "*mailer-daemon*",
                     "*administrator*"
)

Author

ajpc500

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

Raw Content

name: "Sendgrid onmicrosoft.com domain phishing"
description: |
  The message originates from an onmicrosoft.com email address being sent via Sendgrid.
type: "rule"
authors:
  - twitter: "ajpc500"
severity: "medium"
source: |
  type.inbound
  and headers.return_path.domain.domain == "sendgrid.net"
  and sender.email.domain.root_domain == "onmicrosoft.com"
  and not strings.like(sender.email.local_part,
                       "*postmaster*",
                       "*mailer-daemon*",
                       "*administrator*"
  )
attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Evasion"
detection_methods:
  - "Header analysis"
id: "271f4ae9-9681-5d61-a94d-8fa714db826d"