Spam: Default Microsoft Exchange Online sender domain (onmicrosoft.com)

Severity: low
Type: rule
Source: github.com/sublime-security/sublime-rules

The default Microsoft Exchange Online sender domain, onmicrosoft.com, is commonly used to send unwanted and malicious email. Enable this rule in your environment if receiving email from the onmicrosoft.com domain is unexpected behaviour.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

Category	Values
Attack types	Callback Phishing, Credential Phishing, Spam
Tactics and techniques	Free email provider, Impersonation: Brand, Social engineering

Event coverage

Message attribute
attachments (collection)
body
body.links (collection)
headers (collection)
headers.auth_summary
headers.hops (collection)
recipients
sender
sender.email
subject
type

Rule body MQL

type.inbound
and (
  sender.email.domain.root_domain == "onmicrosoft.com"
  or (
    strings.icontains(sender.display_name, "onmicrosoft.com")
    and sender.email.domain.valid == false
  )
)
and length(recipients.to) < 2
and length(body.links) > 0
// bounce-back negations
and not strings.like(sender.email.local_part,
                     "*postmaster*",
                     "*mailer-daemon*",
                     "*administrator*"
)
and not any(attachments,
            .content_type in (
              "message/rfc822",
              "message/delivery-status",
              "text/calendar"
            )
            or (.content_type == "text/plain" and .file_extension == "ics")
)
// negating legit replies
and not (
  (
    strings.istarts_with(subject.subject, "RE:")
    or strings.istarts_with(subject.subject, "FW:")
    or strings.istarts_with(subject.subject, "FWD:")
    or regex.imatch(subject.subject,
                    '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*'
    )
    or strings.istarts_with(subject.subject, "Réponse automatique")
  )
  and (length(headers.references) > 0 and headers.in_reply_to is not null)
)
// negating auto-replies
and not (
  any(headers.hops,
      any(.fields, .name =~ "auto-submitted" and .value =~ "auto-generated")
      and any(.fields,
              .name =~ "X-MS-Exchange-Generated-Message-Source"
              and .value not in ("Antispam Quarantine Agent")
      )
  )
)
// Microsoft has some legit onmicrosoft domains...
and not (
  sender.email.domain.domain == "microsoft.onmicrosoft.com"
  and headers.auth_summary.spf.pass
  and all(body.links, .href_url.domain.root_domain == "microsoft.com")
)
// construct the proper sender domain and check against known recipients
and not strings.concat(sender.email.domain.subdomain,
                       ".",
                       sender.email.domain.tld
) in $recipient_domains
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
and not sender.email.domain.domain in $org_domains

Detection logic

Scope: inbound message.

inbound message
any of:
- sender.email.domain.root_domain is 'onmicrosoft.com'
- all of:
  - sender.display_name contains 'onmicrosoft.com'
  - sender.email.domain.valid is False
length(recipients.to) < 2
length(body.links) > 0
not:
- sender.email.local_part matches any of 3 patterns
  - *postmaster*
  - *mailer-daemon*
  - *administrator*
not:
- any of attachments where any holds:
  - .content_type in ('message/rfc822', 'message/delivery-status', 'text/calendar')
  - all of:
    
    .content_type is 'text/plain'
    .file_extension is 'ics'
not:
- all of:
  - any of:
    
    subject.subject starts with 'RE:'
    subject.subject starts with 'FW:'
    subject.subject starts with 'FWD:'
    subject.subject matches '(\\[[^\\]]+\\]\\s?){0,3}(re|fwd?|automat.*)\\s?:.*'
    subject.subject starts with 'Réponse automatique'
  - all of:
    
    length(headers.references) > 0
    headers.in_reply_to is set
not:
- any of headers.hops where all hold:
  - any of .fields where all hold:
    
    .name is 'auto-submitted'
    .value is 'auto-generated'
  - any of .fields where all hold:
    
    .name is 'X-MS-Exchange-Generated-Message-Source'
    .value not in ('Antispam Quarantine Agent')
not:
- all of:
  - sender.email.domain.domain is 'microsoft.onmicrosoft.com'
  - headers.auth_summary.spf.pass
  - all of body.links where:
    
    .href_url.domain.root_domain is 'microsoft.com'
not:
- strings.concat(sender.email.domain.subdomain, '.') in $recipient_domains
any of:
- not:
  - profile.by_sender().solicited
- all of:
  - profile.by_sender().any_messages_malicious_or_spam
  - not:
    
    profile.by_sender().any_messages_benign
not:
- sender.email.domain.domain in $org_domains

Inspects: attachments[].content_type, attachments[].file_extension, body.links, body.links[].href_url.domain.root_domain, headers.auth_summary.spf.pass, headers.hops, headers.hops[].fields, headers.hops[].fields[].name, headers.hops[].fields[].value, headers.in_reply_to, headers.references, recipients.to, sender.display_name, sender.email.domain.domain, sender.email.domain.root_domain, sender.email.domain.subdomain, sender.email.domain.tld, sender.email.domain.valid, sender.email.local_part, subject.subject, type.inbound. Sensors: profile.by_sender, regex.imatch, strings.concat, strings.icontains, strings.istarts_with, strings.like. Reference lists: $org_domains, $recipient_domains.

Indicators matched (21)

Field	Match	Value
`sender.email.domain.root_domain`	equals	`onmicrosoft.com`
`strings.icontains`	substring	`onmicrosoft.com`
`strings.like`	substring	`postmaster`
`strings.like`	substring	`mailer-daemon`
`strings.like`	substring	`administrator`
`attachments[].content_type`	member	`message/rfc822`
`attachments[].content_type`	member	`message/delivery-status`
`attachments[].content_type`	member	`text/calendar`
`attachments[].content_type`	equals	`text/plain`
`attachments[].file_extension`	equals	`ics`
`strings.istarts_with`	prefix	`RE:`
`strings.istarts_with`	prefix	`FW:`

9 more

`strings.istarts_with`	prefix	`FWD:`
`regex.imatch`	regex	`(\[[^\]]+\]\s?){0,3}(re\|fwd?\|automat.)\s?:.`
`strings.istarts_with`	prefix	`Réponse automatique`
`headers.hops[].fields[].name`	equals	`auto-submitted`
`headers.hops[].fields[].value`	equals	`auto-generated`
`headers.hops[].fields[].name`	equals	`X-MS-Exchange-Generated-Message-Source`
`headers.hops[].fields[].value`	member	`Antispam Quarantine Agent`
`sender.email.domain.domain`	equals	`microsoft.onmicrosoft.com`
`body.links[].href_url.domain.root_domain`	equals	`microsoft.com`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)