Detection rules › Sublime MQL
Microsoft infrastructure abuse with suspicious patterns
Attackers have been observed abusing Microsoft's services, with suspicious indicators such as default Microsoft 365 domains (onmicrosoft.com), non-Microsoft return paths, or Resent-From headers.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | BEC/Fraud, Callback Phishing |
| Tactics and techniques | Evasion, Impersonation: Brand, Social engineering |
Event coverage
Rule body MQL
type.inbound
and sender.email.domain.root_domain == "microsoft.com"
and headers.return_path.domain.domain not in $org_domains
and 1 of (
(
length(recipients.to) == 1
and all(recipients.to,
.email.domain.root_domain == "onmicrosoft.com"
and not .email.domain.domain in $org_domains
)
),
headers.return_path.domain.root_domain not in~ (
'microsoft.com',
'microsoftstoreemail.com',
'microsoftsupport.com',
'office.com',
'teams-events.com',
'qualtrics-research.com',
'pb-dynmktg.com'
),
any(headers.hops, any(.fields, .name == "Resent-From"))
)
and regex.icontains(body.current_thread.text,
'\b\+?(\d{1}.)?\(?\d{3}?\)?\s~?\s?\d{3}.?~?.\d{4}\b'
)
Detection logic
Scope: inbound message.
Attackers have been observed abusing Microsoft's services, with suspicious indicators such as default Microsoft 365 domains (onmicrosoft.com), non-Microsoft return paths, or Resent-From headers.
- inbound message
- sender.email.domain.root_domain is 'microsoft.com'
- headers.return_path.domain.domain not in $org_domains
at least 1 of:
all of:
- length(recipients.to) is 1
all of
recipients.towhere all hold:- .email.domain.root_domain is 'onmicrosoft.com'
not:
- .email.domain.domain in $org_domains
- headers.return_path.domain.root_domain not in ('microsoft.com', 'microsoftstoreemail.com', 'microsoftsupport.com', 'office.com', 'teams-events.com', 'qualtrics-research.com', 'pb-dynmktg.com')
any of
headers.hopswhere:any of
.fieldswhere:- .name is 'Resent-From'
- body.current_thread.text matches '\\b\\+?(\\d{1}.)?\\(?\\d{3}?\\)?\\s~?\\s?\\d{3}.?~?.\\d{4}\\b'
Inspects: body.current_thread.text, headers.hops, headers.hops[].fields, headers.hops[].fields[].name, headers.return_path.domain.domain, headers.return_path.domain.root_domain, recipients.to, recipients.to[].email.domain.domain, recipients.to[].email.domain.root_domain, sender.email.domain.root_domain, type.inbound. Sensors: regex.icontains. Reference lists: $org_domains.
Indicators matched (11)
| Field | Match | Value |
|---|---|---|
sender.email.domain.root_domain | equals | microsoft.com |
recipients.to[].email.domain.root_domain | equals | onmicrosoft.com |
headers.return_path.domain.root_domain | member | microsoft.com |
headers.return_path.domain.root_domain | member | microsoftstoreemail.com |
headers.return_path.domain.root_domain | member | microsoftsupport.com |
headers.return_path.domain.root_domain | member | office.com |
headers.return_path.domain.root_domain | member | teams-events.com |
headers.return_path.domain.root_domain | member | qualtrics-research.com |
headers.return_path.domain.root_domain | member | pb-dynmktg.com |
headers.hops[].fields[].name | equals | Resent-From |
regex.icontains | regex | \b\+?(\d{1}.)?\(?\d{3}?\)?\s~?\s?\d{3}.?~?.\d{4}\b |