Microsoft Infrastructure Abuse With Suspicious Patterns

Attackers have been observed abusing Microsoft's services, with suspicious indicators such as default Microsoft 365 domains (onmicrosoft.com), non-Microsoft return paths, or Resent-From headers.

Sublime rule (View on GitHub)

 1name: "Microsoft Infrastructure Abuse With Suspicious Patterns"
 2description: "Attackers have been observed abusing Microsoft's services, with suspicious indicators such as default Microsoft 365 domains (onmicrosoft.com), non-Microsoft return paths, or Resent-From headers. "
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and sender.email.domain.root_domain == "microsoft.com"
 8  and headers.return_path.domain.domain not in $org_domains
 9  and 1 of (
10    (
11      length(recipients.to) == 1
12      and all(recipients.to,
13              .email.domain.root_domain == "onmicrosoft.com"
14              and not .email.domain.domain in $org_domains
15      )
16    ),
17    headers.return_path.domain.root_domain not in~ (
18      'microsoft.com',
19      'microsoftstoreemail.com',
20      'microsoftsupport.com',
21      'office.com',
22      'teams-events.com',
23      'qualtrics-research.com',
24      'pb-dynmktg.com'
25    ),
26    any(headers.hops, any(.fields, .name == "Resent-From"))
27  )
28  and regex.icontains(body.current_thread.text, '\b\+?(\d{1}.)?\(?\d{3}?\)?\s~?\s?\d{3}.?~?.\d{4}\b')  
29
30attack_types:
31  - "BEC/Fraud"
32  - "Callback Phishing"
33tactics_and_techniques:
34  - "Evasion"
35  - "Impersonation: Brand"
36  - "Social engineering"
37detection_methods:
38  - "Header analysis"
39  - "Sender analysis"
40id: "cfe8e804-39ec-546f-9144-f721b95d9df1"
to-top