• Sublime Core Feed
Medium Severity

Message Traversed Multiple onmicrosoft.com Tenants

Labels

Callback Phishing
Evasion
Free email provider
Free subdomain host
Sender analysis
Header analysis

Description

This detection rule identifies messages that have traversed multiple distinct onmicrosoft.com tenants. This technique has been observed as an evasion tactic to distribute a single message across a list of targeted recipients.

References

No references.

Sublime Security
Created Dec 18th, 2024 • Last updated Dec 18th, 2024
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and length(recipients.to) == 1
and all(recipients.to,
        .email.domain.root_domain == "onmicrosoft.com"
        and not .email.domain.domain in $org_domains
)
// the message has traversed two or more different "onmicrosoft.com" subdomains
and length(distinct(map(filter(headers.hops,
                               strings.icontains(.authentication_results.spf_details.designator,
                                                 '.onmicrosoft.com'
                               )
                               and not strings.contains(.authentication_results.spf_details.designator,
                                                        "@"
                               )
                        ),
                        .authentication_results.spf_details.designator
                    ),
                    .
           )
) > 1

and all(recipients.to, .email.domain.domain != headers.return_path.domain.domain)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started