High Severity

Microsoft infrastructure abuse with suspicious patterns

Labels

BEC/Fraud

Callback Phishing

Description

Attackers have been observed abusing Microsoft's services, with suspicious indicators such as default Microsoft 365 domains (onmicrosoft.com), non-Microsoft return paths, or Resent-From headers.

References

No references.

Sublime Security

Created Sep 4th, 2024 • Last updated Aug 5th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and sender.email.domain.root_domain == "microsoft.com"
and headers.return_path.domain.domain not in $org_domains
and 1 of (
  (
    length(recipients.to) == 1
    and all(recipients.to,
            .email.domain.root_domain == "onmicrosoft.com"
            and not .email.domain.domain in $org_domains
    )
  ),
  headers.return_path.domain.root_domain not in~ (
    'microsoft.com',
    'microsoftstoreemail.com',
    'microsoftsupport.com',
    'office.com',
    'teams-events.com',
    'qualtrics-research.com',
    'pb-dynmktg.com'
  ),
  any(headers.hops, any(.fields, .name == "Resent-From"))
)
and regex.icontains(body.current_thread.text, '\b\+?(\d{1}.)?\(?\d{3}?\)?\s~?\s?\d{3}.?~?.\d{4}\b')

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.