Detection rules › Sublime MQL
Sendgrid onmicrosoft.com domain phishing
The message originates from an onmicrosoft.com email address being sent via Sendgrid.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Evasion |
Event coverage
| Message attribute |
|---|
| headers.return_path |
| sender.email |
| type |
Rule body MQL
type.inbound
and headers.return_path.domain.domain == "sendgrid.net"
and sender.email.domain.root_domain == "onmicrosoft.com"
and not strings.like(sender.email.local_part,
"*postmaster*",
"*mailer-daemon*",
"*administrator*"
)
Detection logic
Scope: inbound message.
The message originates from an onmicrosoft.com email address being sent via Sendgrid.
- inbound message
- headers.return_path.domain.domain is 'sendgrid.net'
- sender.email.domain.root_domain is 'onmicrosoft.com'
not:
sender.email.local_part matches any of 3 patterns
*postmaster**mailer-daemon**administrator*
Inspects: headers.return_path.domain.domain, sender.email.domain.root_domain, sender.email.local_part, type.inbound. Sensors: strings.like.
Indicators matched (5)
| Field | Match | Value |
|---|---|---|
headers.return_path.domain.domain | equals | sendgrid.net |
sender.email.domain.root_domain | equals | onmicrosoft.com |
strings.like | substring | *postmaster* |
strings.like | substring | *mailer-daemon* |
strings.like | substring | *administrator* |