• Sublime Core Feed
  • Spam: Default Microsoft Exchange Online sender domain (onmicrosoft.com)
Low Severity

Spam: Default Microsoft Exchange Online sender domain (onmicrosoft.com)

Labels

Callback Phishing
Credential Phishing
Spam
Free email provider
Impersonation: Brand
Social engineering
Content analysis
Sender analysis

Description

The default Microsoft Exchange Online sender domain, onmicrosoft.com, is commonly used to send unwanted and malicious email. Enable this rule in your environment if receiving email from the onmicrosoft.com domain is unexpected behaviour.

References

No references.

Sublime Security
Created Feb 29th, 2024 • Last updated Jan 10th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and (
  sender.email.domain.root_domain == "onmicrosoft.com"
  or (
    strings.icontains(sender.display_name, "onmicrosoft.com")
    and sender.email.domain.valid == false
  )
)
and length(recipients.to) < 2
and length(body.links) > 0
// bounce-back negations
and not strings.like(sender.email.local_part, "*postmaster*", "*mailer-daemon*", "*administrator*")
and not any(attachments,
            .content_type in (
              "message/rfc822",
              "message/delivery-status",
              "text/calendar"
            )
            or (.content_type == "text/plain" and .file_extension == "ics")
)
// negating legit replies
and not (
  (
    strings.istarts_with(subject.subject, "RE:")
    or strings.istarts_with(subject.subject, "FW:")
    or strings.istarts_with(subject.subject, "FWD:")
    or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*')
    or strings.istarts_with(subject.subject, "RĂ©ponse automatique")
  )
  and (
    length(headers.references) > 0
    and any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
  )
)
// negating auto-replies
and not (
  any(headers.hops,
      any(.fields, .name =~ "auto-submitted" and .value =~ "auto-generated")
      and any(.fields,
              .name =~ "X-MS-Exchange-Generated-Message-Source"
              and .value not in ("Antispam Quarantine Agent")
      )
  )
)
// Microsoft has some legit onmicrosoft domains...
and not (
  sender.email.domain.domain == "microsoft.onmicrosoft.com"
  and headers.auth_summary.spf.pass
  and all(body.links, .href_url.domain.root_domain == "microsoft.com")
)
// construct the proper sender domain and check against known recipients
and not strings.concat(sender.email.domain.subdomain,  ".", sender.email.domain.tld) in $recipient_domains
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_false_positives
  )
)
and not sender.email.domain.domain in $org_domains
MQL Rule Console
•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started