EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Message traversed multiple onmicrosoft.com tenants

This detection rule identifies messages that have traversed multiple distinct onmicrosoft.com tenants. This technique has been observed as an evasion tactic to distribute a single message across a list of targeted recipients.

MITRE ATT&CK

T1566.003T1598T1036T1027
defense-evasion

Detection Query

type.inbound
and length(recipients.to) == 1
and all(recipients.to,
        .email.domain.root_domain == "onmicrosoft.com"
        and not .email.domain.domain in $org_domains
)
// the message has traversed two or more different "onmicrosoft.com" subdomains
and length(distinct(map(filter(headers.hops,
                               strings.icontains(.authentication_results.spf_details.designator,
                                                 '.onmicrosoft.com'
                               )
                               and not strings.contains(.authentication_results.spf_details.designator,
                                                        "@"
                               )
                        ),
                        .authentication_results.spf_details.designator
                    ),
                    .
           )
) > 1
and all(recipients.to,
        .email.domain.domain != headers.return_path.domain.domain
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Message traversed multiple onmicrosoft.com tenants"
description: "This detection rule identifies messages that have traversed multiple distinct onmicrosoft.com tenants.  This technique has been observed as an evasion tactic to distribute a single message across a list of targeted recipients."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and length(recipients.to) == 1
  and all(recipients.to,
          .email.domain.root_domain == "onmicrosoft.com"
          and not .email.domain.domain in $org_domains
  )
  // the message has traversed two or more different "onmicrosoft.com" subdomains
  and length(distinct(map(filter(headers.hops,
                                 strings.icontains(.authentication_results.spf_details.designator,
                                                   '.onmicrosoft.com'
                                 )
                                 and not strings.contains(.authentication_results.spf_details.designator,
                                                          "@"
                                 )
                          ),
                          .authentication_results.spf_details.designator
                      ),
                      .
             )
  ) > 1
  and all(recipients.to,
          .email.domain.domain != headers.return_path.domain.domain
  )
attack_types:
  - "Callback Phishing"
tactics_and_techniques:
  - "Evasion"
  - "Free email provider"
  - "Free subdomain host"
detection_methods:
  - "Sender analysis"
  - "Header analysis"
id: "9cf01c0d-95d5-5ea6-8150-cf5879834e06"