Create header_onmicrosoft_traversal.yml

detection-rules/header_onmicrosoft_traversal.yml

@@ -0,0 +1,37 @@
+name: "Messaged Traversed Multiple onmicrosoft.com Tenants"
+description: "This detection rule identifies messages that have traversed multiple distinct onmicrosoft.com tenants—a technique observed as an evasion tactic to distribute a single message across a list of targeted recipients."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and length(recipients.to) == 1
+  and all(recipients.to,
+          .email.domain.root_domain == "onmicrosoft.com"
+          and not .email.domain.domain in $org_domains
+  )
+  // the message has traversed two or more different "onmicrosoft.com" subdomains
+  and length(distinct(map(filter(headers.hops,
+                                 strings.icontains(.authentication_results.spf_details.designator,
+                                                   '.onmicrosoft.com'
+                                 )
+                                 and not strings.contains(.authentication_results.spf_details.designator,
+                                                          "@"
+                                 )
+                          ),
+                          .authentication_results.spf_details.designator
+                      ),
+                      .
+             )
+  ) > 1
+
+  and all(recipients.to, .email.domain.domain != headers.return_path.domain.domain)
+attack_types:
+  - "Callback Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Free email provider"
+  - "Free subdomain host"
+detection_methods:
+  - "Sender analysis"
+  - "Header analysis"
+id: "9cf01c0d-95d5-5ea6-8150-cf5879834e06"