EXPLORE
Sign In
← Back to Explore
sublimehighRule

Microsoft infrastructure abuse with suspicious patterns

Attackers have been observed abusing Microsoft's services, with suspicious indicators such as default Microsoft 365 domains (onmicrosoft.com), non-Microsoft return paths, or Resent-From headers.

MITRE ATT&CK

T1566.002T1534T1656T1566.003T1598T1036T1027T1598.003T1566
defense-evasioninitial-access

Detection Query

type.inbound
and sender.email.domain.root_domain == "microsoft.com"
and headers.return_path.domain.domain not in $org_domains
and 1 of (
  (
    length(recipients.to) == 1
    and all(recipients.to,
            .email.domain.root_domain == "onmicrosoft.com"
            and not .email.domain.domain in $org_domains
    )
  ),
  headers.return_path.domain.root_domain not in~ (
    'microsoft.com',
    'microsoftstoreemail.com',
    'microsoftsupport.com',
    'office.com',
    'teams-events.com',
    'qualtrics-research.com',
    'pb-dynmktg.com'
  ),
  any(headers.hops, any(.fields, .name == "Resent-From"))
)
and regex.icontains(body.current_thread.text,
                    '\b\+?(\d{1}.)?\(?\d{3}?\)?\s~?\s?\d{3}.?~?.\d{4}\b'
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Microsoft infrastructure abuse with suspicious patterns"
description: "Attackers have been observed abusing Microsoft's services, with suspicious indicators such as default Microsoft 365 domains (onmicrosoft.com), non-Microsoft return paths, or Resent-From headers. "
type: "rule"
severity: "high"
source: |
  type.inbound
  and sender.email.domain.root_domain == "microsoft.com"
  and headers.return_path.domain.domain not in $org_domains
  and 1 of (
    (
      length(recipients.to) == 1
      and all(recipients.to,
              .email.domain.root_domain == "onmicrosoft.com"
              and not .email.domain.domain in $org_domains
      )
    ),
    headers.return_path.domain.root_domain not in~ (
      'microsoft.com',
      'microsoftstoreemail.com',
      'microsoftsupport.com',
      'office.com',
      'teams-events.com',
      'qualtrics-research.com',
      'pb-dynmktg.com'
    ),
    any(headers.hops, any(.fields, .name == "Resent-From"))
  )
  and regex.icontains(body.current_thread.text,
                      '\b\+?(\d{1}.)?\(?\d{3}?\)?\s~?\s?\d{3}.?~?.\d{4}\b'
  )
attack_types:
  - "BEC/Fraud"
  - "Callback Phishing"
tactics_and_techniques:
  - "Evasion"
  - "Impersonation: Brand"
  - "Social engineering"
detection_methods:
  - "Header analysis"
  - "Sender analysis"
id: "cfe8e804-39ec-546f-9144-f721b95d9df1"