Sendgrid onmicrosoft.com domain phishing

Jan 12, 2026 ·

The message originates from an onmicrosoft.com email address being sent via Sendgrid.

Sublime rule (View on GitHub)

 1name: "Sendgrid onmicrosoft.com domain phishing"
 2description: |
 3    The message originates from an onmicrosoft.com email address being sent via Sendgrid.
 4type: "rule"
 5authors:
 6  - twitter: "ajpc500"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and headers.return_path.domain.domain == "sendgrid.net"
11  and sender.email.domain.root_domain == "onmicrosoft.com"
12  and not strings.like(sender.email.local_part,
13                       "*postmaster*",
14                       "*mailer-daemon*",
15                       "*administrator*"
16  )  
17attack_types:
18  - "Credential Phishing"
19tactics_and_techniques:
20  - "Evasion"
21detection_methods:
22  - "Header analysis"
23id: "271f4ae9-9681-5d61-a94d-8fa714db826d"