Spam: Default Microsoft Exchange Online sender domain (onmicrosoft.com)

 1name: "Spam: Default Microsoft Exchange Online sender domain (onmicrosoft.com)"
 2description: "The default Microsoft Exchange Online sender domain, onmicrosoft.com, is commonly used to send unwanted and malicious email. Enable this rule in your environment if receiving email from the onmicrosoft.com domain is unexpected behaviour."
 3type: "rule"
 4severity: "low"
 5source: |
 6  type.inbound
 7  and (
 8    sender.email.domain.root_domain == "onmicrosoft.com"
 9    or (
10      strings.icontains(sender.display_name, "onmicrosoft.com")
11      and sender.email.domain.valid == false
12    )
13  )
14  and length(recipients.to) < 2
15  and length(body.links) > 0
16  // bounce-back negations
17  and not strings.like(sender.email.local_part,
18                       "*postmaster*",
19                       "*mailer-daemon*",
20                       "*administrator*"
21  )
22  and not any(attachments,
23              .content_type in (
24                "message/rfc822",
25                "message/delivery-status",
26                "text/calendar"
27              )
28              or (.content_type == "text/plain" and .file_extension == "ics")
29  )
30  // negating legit replies
31  and not (
32    (
33      strings.istarts_with(subject.subject, "RE:")
34      or strings.istarts_with(subject.subject, "FW:")
35      or strings.istarts_with(subject.subject, "FWD:")
36      or regex.imatch(subject.subject,
37                      '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*'
38      )
39      or strings.istarts_with(subject.subject, "Réponse automatique")
40    )
41    and (length(headers.references) > 0 and headers.in_reply_to is not null)
42  )
43  // negating auto-replies
44  and not (
45    any(headers.hops,
46        any(.fields, .name =~ "auto-submitted" and .value =~ "auto-generated")
47        and any(.fields,
48                .name =~ "X-MS-Exchange-Generated-Message-Source"
49                and .value not in ("Antispam Quarantine Agent")
50        )
51    )
52  )
53  // Microsoft has some legit onmicrosoft domains...
54  and not (
55    sender.email.domain.domain == "microsoft.onmicrosoft.com"
56    and headers.auth_summary.spf.pass
57    and all(body.links, .href_url.domain.root_domain == "microsoft.com")
58  )
59  // construct the proper sender domain and check against known recipients
60  and not strings.concat(sender.email.domain.subdomain,
61                         ".",
62                         sender.email.domain.tld
63  ) in $recipient_domains
64  and (
65    not profile.by_sender().solicited
66    or (
67      profile.by_sender().any_messages_malicious_or_spam
68      and not profile.by_sender().any_messages_benign
69    )
70  )
71  and not sender.email.domain.domain in $org_domains  
72tags:
73 - "Attack surface reduction"
74attack_types:
75  - "Callback Phishing"
76  - "Credential Phishing"
77  - "Spam"
78tactics_and_techniques:
79  - "Free email provider"
80  - "Impersonation: Brand"
81  - "Social engineering"
82detection_methods:
83  - "Content analysis"
84  - "Sender analysis"
85id: "3f2a64ce-28bf-505e-a366-204241610ff9"