Microsoft Infrastructure Abuse With Suspicious Patterns
Attackers have been observed abusing Microsoft's services, with suspicious indicators such as default Microsoft 365 domains (onmicrosoft.com), non-Microsoft return paths, or Resent-From headers.
Sublime rule (View on GitHub)
1name: "Microsoft Infrastructure Abuse With Suspicious Patterns"
2description: "Attackers have been observed abusing Microsoft's services, with suspicious indicators such as default Microsoft 365 domains (onmicrosoft.com), non-Microsoft return paths, or Resent-From headers. "
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and sender.email.domain.root_domain == "microsoft.com"
8 and headers.return_path.domain.domain not in $org_domains
9 and 1 of (
10 (
11 length(recipients.to) == 1
12 and all(recipients.to,
13 .email.domain.root_domain == "onmicrosoft.com"
14 and not .email.domain.domain in $org_domains
15 )
16 ),
17 headers.return_path.domain.root_domain not in~ (
18 'microsoft.com',
19 'microsoftstoreemail.com',
20 'microsoftsupport.com',
21 'office.com',
22 'teams-events.com',
23 'qualtrics-research.com',
24 'pb-dynmktg.com'
25 ),
26 any(headers.hops, any(.fields, .name == "Resent-From"))
27 )
28 and regex.icontains(body.current_thread.text, '\b\+?(\d{1}.)?\(?\d{3}?\)?\s~?\s?\d{3}.?~?.\d{4}\b')
29
30attack_types:
31 - "BEC/Fraud"
32 - "Callback Phishing"
33tactics_and_techniques:
34 - "Evasion"
35 - "Impersonation: Brand"
36 - "Social engineering"
37detection_methods:
38 - "Header analysis"
39 - "Sender analysis"
40id: "cfe8e804-39ec-546f-9144-f721b95d9df1"