Login
December 13, 2023Introduction
Recently, there has been a notable surge in the utilization of “. onmicrosoft.com” domains in phishing activities. Malicious actors are creating numerous trial Microsoft 365 accounts and automatically activating Exchange Online to facilitate the dissemination of phishing emails as a temporary strategy.
During a specific instance, I identified nearly 100 distinct “. onMicrosoft” domains transmitting identical phishing emails across various target domains within a few hours. Given that these phishing attempts were successfully evading multiple security protocols, it became imperative to swiftly implement enhanced measures to fortify the targeted domains against such orchestrated campaigns. Additionally, I instituted a comprehensive monitoring system to keep tabs on all emails quarantined because of our newly implemented measures. This proactive approach accounted for potential false positives, especially considering instances where users might be engaging with Exchange Online tenants that could be misconfigured.
Look for emails from the domain a.onmicrosoft.com
Below, you’ll find a sample of Kusto Query Language (KQL) code designed to generate a report that identifies all incoming emails received in the last 30 days from a domain with an .onmicrosoft.com extension. It is imperative to conduct a detailed analysis of this data before considering any actions to quarantine these emails, as there is a risk of encountering false positives.
Once a thorough examination of the data is complete and you have assessed the potential implications of implementing a Mail Flow rule to quarantine these emails, the next step involves creating a detection mechanism for all incoming emails that will be directed to quarantine after implementing the Mail Flow rule.
|
1 2 3 4 5 6 7 8 |
// Hunt for inbound emails from specific senderfromaddress domain EmailEvents | where Timestamp > ago (30d) | where EmailDirection == "Inbound" | extend SenderFromAddress = tostring(split(SenderMailFromAddress, "@")[-1]) | where SenderFromAddress contains "onmicrosoft.com" | project Timestamp, NetworkMessageId,SenderFromAddress, SenderFromDomain, RecipientEmailAddress,Subject, DeliveryAction,DeliveryLocation, LatestDeliveryAction, ThreatTypes,DetectionMethods, EmailAction | sort by Timestamp desc |
Pioneers in Cloud Consulting & Migration Services
- Reduced infrastructural costs
- Accelerated application deployment
Crafting an Alert Rule for.onmicrosoft.com Emails Rerouted to Quarantine by a Mail Flow Rule
Deciphering this proved to be a challenge. When configuring a Mail Flow rule to divert an email to quarantine, the relevant information can be in the defender portal, specifically under Email Entity analysis data, as depicted below. However, it seems that this data is not accessible within the advanced hunting data. Although EmailEvents and the additional data field contain some information, it does not seem to be present when implementing a Mail Flow rule to quarantine the message.
Typically, when EOP & MDO relegates an email to quarantine, the Email Action field is filled with the information “Send to quarantine.” Nevertheless, if you direct an email explicitly to quarantine using a Mail Flow rule, this field stays unpopulated. The subsequent detection approach assumes the presence of a singular Mail Flow rule responsible for directing.onmicrosoft.com domain emails to quarantine. This enables us to pinpoint emails from the.onmicrosoft.com domain precisely routed to quarantine through the impending Mail Flow rule.
Establish a mail flow directive to route emails from a.onmicrosoft.com domain to quarantine
Step 1: Sign in to the Exchange Admin Centre
Link: aka.ms/admincenter
Step 2: Navigate to the “Admin Centre” in the bottom right corner and click on Exchange.
Step 3: Create a new rule with conditions.
- Apply this Rule if*
The Sender -> address matches any of the text patterns .onmicrosoft.com
- Do the Following
Redirect the Message to -> Hosted Quarantine
Moreover, ensure that end-users receive alerts whenever an email is sent to quarantine. Provide them with the ability to preview and request the release of emails from quarantine, facilitating more convenient management.
Conclusion
Drop a query if you have any questions regarding Phishing and we will get back to you quickly.
Empowering organizations to become ‘data driven’ enterprises with our Cloud experts.
- Reduced infrastructure costs
- Timely data-driven decisions
About CloudThat
CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.
CloudThat is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, Microsoft Gold Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, and many more.
To get started, go through our Consultancy page and Managed Services Package, CloudThat’s offerings.
FAQs
1. Why are ".onmicrosoft.com" domains being targeted in phishing attempts?
ANS: – “.onmicrosoft.com” domains are commonly associated with Microsoft 365 trial accounts, which attackers exploit to send phishing emails. The attackers take advantage of the temporary nature of these accounts, making it challenging to trace and block malicious activities quickly.
2. How does the provided KQL sample help identify potentially malicious emails?
ANS: – The KQL sample allows you to hunt for inbound emails from “.onmicrosoft.com” domains within the past 30 days. By analyzing this data, you can identify patterns and potential false positives before implementing a Mail Flow rule to quarantine such emails.
WRITTEN BY Sumedh Arun Patil
PREV
Comments