Spam: Default Microsoft Exchange Online sender domain (onmicrosoft.com)
The default Microsoft Exchange Online sender domain, onmicrosoft.com, is commonly used to send unwanted and malicious email. Enable this rule in your environment if receiving email from the onmicrosoft.com domain is unexpected behaviour.
Sublime rule (View on GitHub)
1name: "Spam: Default Microsoft Exchange Online sender domain (onmicrosoft.com)"
2description: "The default Microsoft Exchange Online sender domain, onmicrosoft.com, is commonly used to send unwanted and malicious email. Enable this rule in your environment if receiving email from the onmicrosoft.com domain is unexpected behaviour."
3type: "rule"
4severity: "low"
5source: |
6 type.inbound
7 and sender.email.domain.root_domain == "onmicrosoft.com"
8 and length(recipients.to) < 2
9 and length(body.links) > 0
10 // bounce-back negations
11 and not strings.like(sender.email.local_part, "*postmaster*", "*mailer-daemon*", "*administrator*")
12 and not any(attachments,
13 .content_type in (
14 "message/rfc822",
15 "message/delivery-status",
16 "text/calendar"
17 )
18 )
19 // negating legit replies
20 and not (
21 (
22 strings.istarts_with(subject.subject, "RE:")
23 or strings.istarts_with(subject.subject, "FW:")
24 or strings.istarts_with(subject.subject, "FWD:")
25 or regex.imatch(subject.subject, '[^:]?automat.[^:]{0,20}:.*$')
26 )
27 and (
28 length(headers.references) > 0
29 and any(headers.hops, any(.fields, strings.ilike(.name, "In-Reply-To")))
30 )
31 )
32 // construct the proper sender domain and check against known recipients
33 and not strings.concat(sender.email.domain.subdomain, ".", sender.email.domain.tld) in $recipient_domains
34 and (
35 not profile.by_sender().solicited
36 or (
37 profile.by_sender().any_messages_malicious_or_spam
38 and not profile.by_sender().any_false_positives
39 )
40 )
41 and not sender.email.domain.domain in $org_domains
42tags:
43 - "Attack surface reduction"
44attack_types:
45 - "Callback Phishing"
46 - "Credential Phishing"
47 - "Spam"
48tactics_and_techniques:
49 - "Free email provider"
50 - "Impersonation: Brand"
51 - "Social engineering"
52detection_methods:
53 - "Content analysis"
54 - "Sender analysis"
55id: "3f2a64ce-28bf-505e-a366-204241610ff9"