Sendgrid onmicrosoft.com domain phishing

calendar Jun 6, 2024  ยท
Share on: linkedin copy

The message originates from an onmicrosoft.com email address being sent via Sendgrid.

Sublime rule (View on GitHub)

 1name: "Sendgrid onmicrosoft.com domain phishing"
 2description: |
 3    The message originates from an onmicrosoft.com email address being sent via Sendgrid.
 4type: "rule"
 5authors:
 6  - twitter: "ajpc500"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and headers.return_path.domain.domain == "sendgrid.net"
11  and sender.email.domain.root_domain == "onmicrosoft.com"
12  and not strings.like(sender.email.local_part, "*postmaster*", "*mailer-daemon*", "*administrator*")  
13attack_types:
14  - "Credential Phishing"
15tactics_and_techniques:
16  - "Evasion"
17detection_methods:
18  - "Header analysis"
19id: "271f4ae9-9681-5d61-a94d-8fa714db826d"
to-top