From a99fca9fdbda6b766d44d47955230d7a06800439 Mon Sep 17 00:00:00 2001
From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>
Date: Fri, 25 Oct 2024 14:58:04 -0500
Subject: [PATCH 1/4] Create header_onmicrosoft_traversal.yml

---
 .../header_onmicrosoft_traversal.yml          | 36 +++++++++++++++++++
 1 file changed, 36 insertions(+)
 create mode 100644 detection-rules/header_onmicrosoft_traversal.yml

diff --git a/detection-rules/header_onmicrosoft_traversal.yml b/detection-rules/header_onmicrosoft_traversal.yml
new file mode 100644
index 00000000000..14c8f510300
--- /dev/null
+++ b/detection-rules/header_onmicrosoft_traversal.yml
@@ -0,0 +1,36 @@
+name: "Messaged Traversed Multiple onmicrosoft.com Tenants"
+description: "This detection rule identifies messages that have traversed multiple distinct onmicrosoft.com tenants—a technique observed as an evasion tactic to distribute a single message across a list of targeted recipients."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and length(recipients.to) == 1
+  and all(recipients.to,
+          .email.domain.root_domain == "onmicrosoft.com"
+          and not .email.domain.domain in $org_domains
+  )
+  // the message has traversed two or more different "onmicrosoft.com" subdomains
+  and length(distinct(map(filter(headers.hops,
+                                 strings.icontains(.authentication_results.spf_details.designator,
+                                                   '.onmicrosoft.com'
+                                 )
+                                 and not strings.contains(.authentication_results.spf_details.designator,
+                                                          "@"
+                                 )
+                          ),
+                          .authentication_results.spf_details.designator
+                      ),
+                      .
+             )
+  ) > 1
+  
+  and all(recipients.to, .email.domain.domain != headers.return_path.domain.domain)
+attack_types:
+  - "Callback Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Free email provider"
+  - "Free subdomain host"
+detection_methods:
+  - "Sender analysis"
+  - "Header analysis"

From 7bbdab5f98140171819f9f7092fe4db992574abc Mon Sep 17 00:00:00 2001
From: ID Generator <hello@sublimesecurity.com>
Date: Fri, 25 Oct 2024 20:01:12 +0000
Subject: [PATCH 2/4] Auto add rule ID

---
 detection-rules/header_onmicrosoft_traversal.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/detection-rules/header_onmicrosoft_traversal.yml b/detection-rules/header_onmicrosoft_traversal.yml
index 14c8f510300..4aea6017456 100644
--- a/detection-rules/header_onmicrosoft_traversal.yml
+++ b/detection-rules/header_onmicrosoft_traversal.yml
@@ -34,3 +34,4 @@ tactics_and_techniques:
 detection_methods:
   - "Sender analysis"
   - "Header analysis"
+id: "9cf01c0d-95d5-5ea6-8150-cf5879834e06"

From 792bcaf96c8d640da266175dcd7d3edfd1ab7e85 Mon Sep 17 00:00:00 2001
From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>
Date: Fri, 13 Dec 2024 17:12:45 -0600
Subject: [PATCH 3/4] Update detection-rules/header_onmicrosoft_traversal.yml

Co-authored-by: Aiden Mitchell <me@aidenmitchell.ca>
---
 detection-rules/header_onmicrosoft_traversal.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/detection-rules/header_onmicrosoft_traversal.yml b/detection-rules/header_onmicrosoft_traversal.yml
index 4aea6017456..b272c7640e0 100644
--- a/detection-rules/header_onmicrosoft_traversal.yml
+++ b/detection-rules/header_onmicrosoft_traversal.yml
@@ -1,4 +1,4 @@
-name: "Messaged Traversed Multiple onmicrosoft.com Tenants"
+name: "Message Traversed Multiple onmicrosoft.com Tenants"
 description: "This detection rule identifies messages that have traversed multiple distinct onmicrosoft.com tenants—a technique observed as an evasion tactic to distribute a single message across a list of targeted recipients."
 type: "rule"
 severity: "medium"

From 4716eb250f887146721915e3ae60c580610b3b2e Mon Sep 17 00:00:00 2001
From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>
Date: Mon, 16 Dec 2024 09:26:18 -0600
Subject: [PATCH 4/4] Update header_onmicrosoft_traversal.yml

---
 detection-rules/header_onmicrosoft_traversal.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/detection-rules/header_onmicrosoft_traversal.yml b/detection-rules/header_onmicrosoft_traversal.yml
index b272c7640e0..c6ba1546391 100644
--- a/detection-rules/header_onmicrosoft_traversal.yml
+++ b/detection-rules/header_onmicrosoft_traversal.yml
@@ -1,5 +1,5 @@
 name: "Message Traversed Multiple onmicrosoft.com Tenants"
-description: "This detection rule identifies messages that have traversed multiple distinct onmicrosoft.com tenants—a technique observed as an evasion tactic to distribute a single message across a list of targeted recipients."
+description: "This detection rule identifies messages that have traversed multiple distinct onmicrosoft.com tenants.  This technique has been observed as an evasion tactic to distribute a single message across a list of targeted recipients."
 type: "rule"
 severity: "medium"
 source: |