Login
December 13, 2023|
Voiced by Amazon Polly |
Introduction
Recently, there has been a notable surge in the utilization of “. onmicrosoft.com” domains in phishing activities. Malicious actors are creating numerous trial Microsoft 365 accounts and automatically activating Exchange Online to facilitate the dissemination of phishing emails as a temporary strategy.
During a specific instance, I identified nearly 100 distinct “. onMicrosoft” domains transmitting identical phishing emails across various target domains within a few hours. Given that these phishing attempts were successfully evading multiple security protocols, it became imperative to swiftly implement enhanced measures to fortify the targeted domains against such orchestrated campaigns. Additionally, I instituted a comprehensive monitoring system to keep tabs on all emails quarantined because of our newly implemented measures. This proactive approach accounted for potential false positives, especially considering instances where users might be engaging with Exchange Online tenants that could be misconfigured.
Pioneers in Cloud Consulting & Migration Services
- Reduced infrastructural costs
- Accelerated application deployment
Look for emails from the domain a.onmicrosoft.com
Below, you’ll find a sample of Kusto Query Language (KQL) code designed to generate a report that identifies all incoming emails received in the last 30 days from a domain with an .onmicrosoft.com extension. It is imperative to conduct a detailed analysis of this data before considering any actions to quarantine these emails, as there is a risk of encountering false positives.
Once a thorough examination of the data is complete and you have assessed the potential implications of implementing a Mail Flow rule to quarantine these emails, the next step involves creating a detection mechanism for all incoming emails that will be directed to quarantine after implementing the Mail Flow rule.
|
1 2 3 4 5 6 7 8 |
// Hunt for inbound emails from specific senderfromaddress domain EmailEvents | where Timestamp > ago (30d) | where EmailDirection == "Inbound" | extend SenderFromAddress = tostring(split(SenderMailFromAddress, "@")[-1]) | where SenderFromAddress contains "onmicrosoft.com" | project Timestamp, NetworkMessageId,SenderFromAddress, SenderFromDomain, RecipientEmailAddress,Subject, DeliveryAction,DeliveryLocation, LatestDeliveryAction, ThreatTypes,DetectionMethods, EmailAction | sort by Timestamp desc |
Crafting an Alert Rule for.onmicrosoft.com Emails Rerouted to Quarantine by a Mail Flow Rule
Deciphering this proved to be a challenge. When configuring a Mail Flow rule to divert an email to quarantine, the relevant information can be in the defender portal, specifically under Email Entity analysis data, as depicted below. However, it seems that this data is not accessible within the advanced hunting data. Although EmailEvents and the additional data field contain some information, it does not seem to be present when implementing a Mail Flow rule to quarantine the message.
Typically, when EOP & MDO relegates an email to quarantine, the Email Action field is filled with the information “Send to quarantine.” Nevertheless, if you direct an email explicitly to quarantine using a Mail Flow rule, this field stays unpopulated. The subsequent detection approach assumes the presence of a singular Mail Flow rule responsible for directing.onmicrosoft.com domain emails to quarantine. This enables us to pinpoint emails from the.onmicrosoft.com domain precisely routed to quarantine through the impending Mail Flow rule.
Establish a mail flow directive to route emails from a.onmicrosoft.com domain to quarantine
Step 1: Sign in to the Exchange Admin Centre
Link: aka.ms/admincenter
Step 2: Navigate to the “Admin Centre” in the bottom right corner and click on Exchange.
Step 3: Create a new rule with conditions.
- Apply this Rule if*
The Sender -> address matches any of the text patterns .onmicrosoft.com
- Do the Following
Redirect the Message to -> Hosted Quarantine
Moreover, ensure that end-users receive alerts whenever an email is sent to quarantine. Provide them with the ability to preview and request the release of emails from quarantine, facilitating more convenient management.
Conclusion
Drop a query if you have any questions regarding Phishing and we will get back to you quickly.
Empowering organizations to become ‘data driven’ enterprises with our Cloud experts.
- Reduced infrastructure costs
- Timely data-driven decisions
About CloudThat
CloudThat is an award-winning company and the first in India to offer cloud training and consulting services worldwide. As a Microsoft Solutions Partner, AWS Advanced Tier Training Partner, and Google Cloud Platform Partner, CloudThat has empowered over 850,000 professionals through 600+ cloud certifications winning global recognition for its training excellence including 20 MCT Trainers in Microsoft’s Global Top 100 and an impressive 12 awards in the last 8 years. CloudThat specializes in Cloud Migration, Data Platforms, DevOps, IoT, and cutting-edge technologies like Gen AI & AI/ML. It has delivered over 500 consulting projects for 250+ organizations in 30+ countries as it continues to empower professionals and enterprises to thrive in the digital-first world.
FAQs
1. Why are ".onmicrosoft.com" domains being targeted in phishing attempts?
ANS: – “.onmicrosoft.com” domains are commonly associated with Microsoft 365 trial accounts, which attackers exploit to send phishing emails. The attackers take advantage of the temporary nature of these accounts, making it challenging to trace and block malicious activities quickly.
2. How does the provided KQL sample help identify potentially malicious emails?
ANS: – The KQL sample allows you to hunt for inbound emails from “.onmicrosoft.com” domains within the past 30 days. By analyzing this data, you can identify patterns and potential false positives before implementing a Mail Flow rule to quarantine such emails.
WRITTEN BY Sumedh Arun Patil
PREV
Comments