So there is a new campaign (at least new to me) of phishing attempts and such coming from an "xyz.onmicrosoft.com" sender domain. Anyone can sign up and start sending emails from that type of domain. I believe no legit email should be coming from a domain/mail domain of "xyz.onmicrosoft.com", but should be properly configured to be "domain.tld"
We got our first attempt coming from something like that and I would like to implement a compliance rule to either quarantine or reject (doesn't matter). I want to make sure I have the compliance rule set up properly before saving or enabling it so that legit emails still come in.
Here is what I have so far in the compliance rule
- Inbound
- If ALL of the following match
Location: Sender header
Matches regex: \w.*\.onmicrosoft\.com
Location: Sender header
Not matches regex: ourdomain[1]\.onmicrosoft\.com
- *Note: we do have MS365 for Office use, but do not use exchange/email from the platform, but would like to exclude our domain just in case say an MS365 notice somehow comes through that, unlikely but just in case
All the other settings are up to us to configure so not worth mentioning. I just want to make sure the above rule does the following:
- If email INBOUND contains SENDER HEADER matching ANYTHING.ONMICROSOFT.COM and not matching OURDOMAIN1.ONMICROSOFT.COM perform xyz action
Edit: This would be in a separate compliance rule in our list of rules. We would not want this rule to affect any other email functionality (which I doubt it would since it's looking at very specific data)
