Sendgrid onmicrosoft.com domain phishing

Aug 21, 2023 ·

The message originates from an onmicrosoft.com email address being sent via Sendgrid.

Sublime rule (View on GitHub)

 1name: "Sendgrid onmicrosoft.com domain phishing"
 2description: |
 3    The message originates from an onmicrosoft.com email address being sent via Sendgrid.
 4type: "rule"
 5authors:
 6  - twitter: "ajpc500"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and headers.return_path.domain.domain == "sendgrid.net"
11  and sender.email.domain.root_domain == "onmicrosoft.com"  
12attack_types:
13  - "Credential Phishing"
14tactics_and_techniques:
15  - "Evasion"
16detection_methods:
17  - "Header analysis"
18id: "271f4ae9-9681-5d61-a94d-8fa714db826d"