Message Traversed Multiple onmicrosoft.com Tenants

calendar Dec 18, 2024  ·
Share on: linkedin copy

This detection rule identifies messages that have traversed multiple distinct onmicrosoft.com tenants. This technique has been observed as an evasion tactic to distribute a single message across a list of targeted recipients.

Sublime rule (View on GitHub)

 1name: "Message Traversed Multiple onmicrosoft.com Tenants"
 2description: "This detection rule identifies messages that have traversed multiple distinct onmicrosoft.com tenants.  This technique has been observed as an evasion tactic to distribute a single message across a list of targeted recipients."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(recipients.to) == 1
 8  and all(recipients.to,
 9          .email.domain.root_domain == "onmicrosoft.com"
10          and not .email.domain.domain in $org_domains
11  )
12  // the message has traversed two or more different "onmicrosoft.com" subdomains
13  and length(distinct(map(filter(headers.hops,
14                                 strings.icontains(.authentication_results.spf_details.designator,
15                                                   '.onmicrosoft.com'
16                                 )
17                                 and not strings.contains(.authentication_results.spf_details.designator,
18                                                          "@"
19                                 )
20                          ),
21                          .authentication_results.spf_details.designator
22                      ),
23                      .
24             )
25  ) > 1
26  
27  and all(recipients.to, .email.domain.domain != headers.return_path.domain.domain)  
28attack_types:
29  - "Callback Phishing"
30tactics_and_techniques:
31  - "Evasion"
32  - "Free email provider"
33  - "Free subdomain host"
34detection_methods:
35  - "Sender analysis"
36  - "Header analysis"
37id: "9cf01c0d-95d5-5ea6-8150-cf5879834e06"
to-top