Medium Severity

Message traversed multiple onmicrosoft.com tenants

Labels

Callback Phishing

Evasion

Description

This detection rule identifies messages that have traversed multiple distinct onmicrosoft.com tenants. This technique has been observed as an evasion tactic to distribute a single message across a list of targeted recipients.

References

No references.

Sublime Security

Created Dec 18th, 2024 • Last updated Aug 5th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and length(recipients.to) == 1
and all(recipients.to,
        .email.domain.root_domain == "onmicrosoft.com"
        and not .email.domain.domain in $org_domains
)
// the message has traversed two or more different "onmicrosoft.com" subdomains
and length(distinct(map(filter(headers.hops,
                               strings.icontains(.authentication_results.spf_details.designator,
                                                 '.onmicrosoft.com'
                               )
                               and not strings.contains(.authentication_results.spf_details.designator,
                                                        "@"
                               )
                        ),
                        .authentication_results.spf_details.designator
                    ),
                    .
           )
) > 1

and all(recipients.to, .email.domain.domain != headers.return_path.domain.domain)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.