From 23c41ebe5da78a86cc23b2ef52387a58cc78fe5c Mon Sep 17 00:00:00 2001 From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com> Date: Wed, 18 Dec 2024 09:51:57 -0600 Subject: [PATCH] Create header_onmicrosoft_traversal.yml (#2060) Co-authored-by: ID Generator Co-authored-by: Aiden Mitchell --- .../header_onmicrosoft_traversal.yml | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 detection-rules/header_onmicrosoft_traversal.yml diff --git a/detection-rules/header_onmicrosoft_traversal.yml b/detection-rules/header_onmicrosoft_traversal.yml new file mode 100644 index 00000000000..c6ba1546391 --- /dev/null +++ b/detection-rules/header_onmicrosoft_traversal.yml @@ -0,0 +1,37 @@ +name: "Message Traversed Multiple onmicrosoft.com Tenants" +description: "This detection rule identifies messages that have traversed multiple distinct onmicrosoft.com tenants. This technique has been observed as an evasion tactic to distribute a single message across a list of targeted recipients." +type: "rule" +severity: "medium" +source: | + type.inbound + and length(recipients.to) == 1 + and all(recipients.to, + .email.domain.root_domain == "onmicrosoft.com" + and not .email.domain.domain in $org_domains + ) + // the message has traversed two or more different "onmicrosoft.com" subdomains + and length(distinct(map(filter(headers.hops, + strings.icontains(.authentication_results.spf_details.designator, + '.onmicrosoft.com' + ) + and not strings.contains(.authentication_results.spf_details.designator, + "@" + ) + ), + .authentication_results.spf_details.designator + ), + . + ) + ) > 1 + + and all(recipients.to, .email.domain.domain != headers.return_path.domain.domain) +attack_types: + - "Callback Phishing" +tactics_and_techniques: + - "Evasion" + - "Free email provider" + - "Free subdomain host" +detection_methods: + - "Sender analysis" + - "Header analysis" +id: "9cf01c0d-95d5-5ea6-8150-cf5879834e06"