EXPLORE
Sign In
← Back to Explore
sublimelowRule

Spam: Default Microsoft Exchange Online sender domain (onmicrosoft.com)

The default Microsoft Exchange Online sender domain, onmicrosoft.com, is commonly used to send unwanted and malicious email. Enable this rule in your environment if receiving email from the onmicrosoft.com domain is unexpected behaviour.

MITRE ATT&CK

T1566.003T1598T1566T1566.001T1566.002T1598.003
initial-access

Detection Query

type.inbound
and (
  sender.email.domain.root_domain == "onmicrosoft.com"
  or (
    strings.icontains(sender.display_name, "onmicrosoft.com")
    and sender.email.domain.valid == false
  )
)
and length(recipients.to) < 2
and length(body.links) > 0
// bounce-back negations
and not strings.like(sender.email.local_part,
                     "*postmaster*",
                     "*mailer-daemon*",
                     "*administrator*"
)
and not any(attachments,
            .content_type in (
              "message/rfc822",
              "message/delivery-status",
              "text/calendar"
            )
            or (.content_type == "text/plain" and .file_extension == "ics")
)
// negating legit replies
and not (
  (
    strings.istarts_with(subject.subject, "RE:")
    or strings.istarts_with(subject.subject, "FW:")
    or strings.istarts_with(subject.subject, "FWD:")
    or regex.imatch(subject.subject,
                    '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*'
    )
    or strings.istarts_with(subject.subject, "Réponse automatique")
  )
  and (
    length(headers.references) > 0
    and any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
  )
)
// negating auto-replies
and not (
  any(headers.hops,
      any(.fields, .name =~ "auto-submitted" and .value =~ "auto-generated")
      and any(.fields,
              .name =~ "X-MS-Exchange-Generated-Message-Source"
              and .value not in ("Antispam Quarantine Agent")
      )
  )
)
// Microsoft has some legit onmicrosoft domains...
and not (
  sender.email.domain.domain == "microsoft.onmicrosoft.com"
  and headers.auth_summary.spf.pass
  and all(body.links, .href_url.domain.root_domain == "microsoft.com")
)
// construct the proper sender domain and check against known recipients
and not strings.concat(sender.email.domain.subdomain,
                       ".",
                       sender.email.domain.tld
) in $recipient_domains
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
and not sender.email.domain.domain in $org_domains

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email

Tags

Attack surface reduction
Raw Content
name: "Spam: Default Microsoft Exchange Online sender domain (onmicrosoft.com)"
description: "The default Microsoft Exchange Online sender domain, onmicrosoft.com, is commonly used to send unwanted and malicious email. Enable this rule in your environment if receiving email from the onmicrosoft.com domain is unexpected behaviour."
type: "rule"
severity: "low"
source: |
  type.inbound
  and (
    sender.email.domain.root_domain == "onmicrosoft.com"
    or (
      strings.icontains(sender.display_name, "onmicrosoft.com")
      and sender.email.domain.valid == false
    )
  )
  and length(recipients.to) < 2
  and length(body.links) > 0
  // bounce-back negations
  and not strings.like(sender.email.local_part,
                       "*postmaster*",
                       "*mailer-daemon*",
                       "*administrator*"
  )
  and not any(attachments,
              .content_type in (
                "message/rfc822",
                "message/delivery-status",
                "text/calendar"
              )
              or (.content_type == "text/plain" and .file_extension == "ics")
  )
  // negating legit replies
  and not (
    (
      strings.istarts_with(subject.subject, "RE:")
      or strings.istarts_with(subject.subject, "FW:")
      or strings.istarts_with(subject.subject, "FWD:")
      or regex.imatch(subject.subject,
                      '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*'
      )
      or strings.istarts_with(subject.subject, "Réponse automatique")
    )
    and (
      length(headers.references) > 0
      and any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
    )
  )
  // negating auto-replies
  and not (
    any(headers.hops,
        any(.fields, .name =~ "auto-submitted" and .value =~ "auto-generated")
        and any(.fields,
                .name =~ "X-MS-Exchange-Generated-Message-Source"
                and .value not in ("Antispam Quarantine Agent")
        )
    )
  )
  // Microsoft has some legit onmicrosoft domains...
  and not (
    sender.email.domain.domain == "microsoft.onmicrosoft.com"
    and headers.auth_summary.spf.pass
    and all(body.links, .href_url.domain.root_domain == "microsoft.com")
  )
  // construct the proper sender domain and check against known recipients
  and not strings.concat(sender.email.domain.subdomain,
                         ".",
                         sender.email.domain.tld
  ) in $recipient_domains
  and (
    not profile.by_sender().solicited
    or (
      profile.by_sender().any_messages_malicious_or_spam
      and not profile.by_sender().any_messages_benign
    )
  )
  and not sender.email.domain.domain in $org_domains
tags:
 - "Attack surface reduction"
attack_types:
  - "Callback Phishing"
  - "Credential Phishing"
  - "Spam"
tactics_and_techniques:
  - "Free email provider"
  - "Impersonation: Brand"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Sender analysis"
id: "3f2a64ce-28bf-505e-a366-204241610ff9"