Sendgrid onmicrosoft.com domain phishing
The message originates from an onmicrosoft.com email address being sent via Sendgrid.
Sublime rule (View on GitHub)
1name: "Sendgrid onmicrosoft.com domain phishing"
2description: |
3 The message originates from an onmicrosoft.com email address being sent via Sendgrid.
4type: "rule"
5authors:
6 - twitter: "ajpc500"
7severity: "medium"
8source: |
9 type.inbound
10 and headers.return_path.domain.domain == "sendgrid.net"
11 and sender.email.domain.root_domain == "onmicrosoft.com"
12attack_types:
13 - "Credential Phishing"
14tactics_and_techniques:
15 - "Evasion"
16detection_methods:
17 - "Header analysis"
18id: "271f4ae9-9681-5d61-a94d-8fa714db826d"