Spam: Default Microsoft Exchange Online sender domain (onmicrosoft.com)

calendar Aug 29, 2024 · Attack surface reduction  ·
Share on: linkedin copy

The default Microsoft Exchange Online sender domain, onmicrosoft.com, is commonly used to send unwanted and malicious email. Enable this rule in your environment if receiving email from the onmicrosoft.com domain is unexpected behaviour.

Sublime rule (View on GitHub)

 1name: "Spam: Default Microsoft Exchange Online sender domain (onmicrosoft.com)"
 2description: "The default Microsoft Exchange Online sender domain, onmicrosoft.com, is commonly used to send unwanted and malicious email. Enable this rule in your environment if receiving email from the onmicrosoft.com domain is unexpected behaviour."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and (
 8    sender.email.domain.root_domain == "onmicrosoft.com"
 9    or (
10      strings.icontains(sender.display_name, "onmicrosoft.com")
11      and sender.email.domain.valid == false
12    )
13  )
14  and length(recipients.to) < 2
15  and length(body.links) > 0
16  // bounce-back negations
17  and not strings.like(sender.email.local_part, "*postmaster*", "*mailer-daemon*", "*administrator*")
18  and not any(attachments,
19              .content_type in (
20                "message/rfc822",
21                "message/delivery-status",
22                "text/calendar"
23              )
24              or (.content_type == "text/plain" and .file_extension == "ics")
25  )
26  // negating legit replies
27  and not (
28    (
29      strings.istarts_with(subject.subject, "RE:")
30      or strings.istarts_with(subject.subject, "FW:")
31      or strings.istarts_with(subject.subject, "FWD:")
32      or regex.imatch(subject.subject, '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*')
33      or strings.istarts_with(subject.subject, "Réponse automatique")
34    )
35    and (
36      length(headers.references) > 0
37      and any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
38    )
39  )
40  // negating auto-replies
41  and not (
42    any(headers.hops,
43        any(.fields, .name =~ "auto-submitted" and .value =~ "auto-generated")
44        and any(.fields,
45                .name =~ "X-MS-Exchange-Generated-Message-Source"
46                and .value not in ("Antispam Quarantine Agent")
47        )
48    )
49  )
50  // construct the proper sender domain and check against known recipients
51  and not strings.concat(sender.email.domain.subdomain,  ".", sender.email.domain.tld) in $recipient_domains
52  and (
53    not profile.by_sender().solicited
54    or (
55      profile.by_sender().any_messages_malicious_or_spam
56      and not profile.by_sender().any_false_positives
57    )
58  )
59  and not sender.email.domain.domain in $org_domains  
60tags:
61 - "Attack surface reduction"
62attack_types:
63  - "Callback Phishing"
64  - "Credential Phishing"
65  - "Spam"
66tactics_and_techniques:
67  - "Free email provider"
68  - "Impersonation: Brand"
69  - "Social engineering"
70detection_methods:
71  - "Content analysis"
72  - "Sender analysis"
73id: "3f2a64ce-28bf-505e-a366-204241610ff9"

Related rules

to-top