Microsoft Infrastructure Abuse With Suspicious Patterns

calendar Sep 4, 2024  ·
Share on: linkedin copy

Attackers have been observed abusing Microsoft's services, with suspicious indicators such as default Microsoft 365 domains (onmicrosoft.com), non-Microsoft return paths, or Resent-From headers.

Sublime rule (View on GitHub)

 1name: "Microsoft Infrastructure Abuse With Suspicious Patterns"
 2description: "Attackers have been observed abusing Microsoft's services, with suspicious indicators such as default Microsoft 365 domains (onmicrosoft.com), non-Microsoft return paths, or Resent-From headers. "
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and sender.email.domain.root_domain == "microsoft.com"
 8  and 1 of (
 9    (
10      length(recipients.to) == 1
11      and all(recipients.to,
12              .email.domain.root_domain == "onmicrosoft.com"
13              and not .email.domain.domain in $org_domains
14      )
15    ),
16    headers.return_path.domain.root_domain not in~ (
17      'microsoft.com',
18      'microsoftstoreemail.com',
19      'microsoftsupport.com',
20      'office.com',
21      'teams-events.com',
22      'qualtrics-research.com',
23      'pb-dynmktg.com'
24    ),
25    any(headers.hops, any(.fields, .name == "Resent-From"))
26  )
27  and regex.icontains(body.current_thread.text, '\b\+?(\d{1}.)?\(?\d{3}?\)?\s~?\s?\d{3}.?~?.\d{4}\b')  
28
29attack_types:
30  - "BEC/Fraud"
31  - "Callback Phishing"
32tactics_and_techniques:
33  - "Evasion"
34  - "Impersonation: Brand"
35  - "Social engineering"
36detection_methods:
37  - "Header analysis"
38  - "Sender analysis"
39id: "cfe8e804-39ec-546f-9144-f721b95d9df1"
to-top