CYBERDOM

Just another day of IR, Threat-Hunting & Microsoft Security

Block ONMICROSOFT Domain in Office 365

by · July 19, 2018

Microsoft cloud services, especially the Office 365 service, are under attack at all times. Every day, customers experience various sophisticated and varied attacks, whether at the level of identities or phishing. The following Block ONMICROSOFT Domain in Office 365 describes the steps to minimize the exposure of the onmicrosoft domain in Office 365.

Despite the various capabilities and possibilities of the information security layers at the Microsoft cloud services, we encounter another new or sophisticated attack.

The service that is massively attacked in any way is Exchange Online, and the truth is that it’s not surprising at all, and there are several reasons for this. Still, the main one is the vulnerability of users, and, therefore, many attacks are targeted at the user level, such as phishing.

Recently there was a new phishing attack unique to the domain from which the campaign was sent. The attackers open and create a valid Tenant in the Office 365 service, and as a result (naturally), a domain with the onmicrosoft.com extension is opened.

From this moment on, the attackers run the campaign on the domain with the valid extension onmicrosoft.com.
The result is that many campaigns are not blocked because of domain reliability, and many users are exposed to movements that ultimately cause attacks.

Note: Most organizations do not refer to the onmicrosoft domain at all!

Post Contents Show

How to Block onmicrosoft domain

To block the onmicrosoft.com domain, you need to follow these actions.

  • Create Exchange Transport Rule (ETR) for external onmicrosoft.com domain
  • Make sure that you’re not working with the onmicrosoft.com domain
  • Make sure that the onmicrosoft.com domain and isn’t active
  • If you’re in hybrid mode, the is another scenario to block onmicrosoft domain (need to resubmit and not reject)
  • Audit the new transport rule and make sure there’s no effect

How to Block onmicrosoft domain

Another option is to run the following command from PowerShell:

$TenantDomains = (Get-AcceptedDomain | ? { $_.DomainName -like “onmicrosoft.com” }).Name
New-TransportRule -FromScope NotInOrganization -RecipientDomainIs $TenantDomains -Name “Reject messages to onmicrosoft.com domains” -RejectMessageReasonText “You are not allowed to relay to this user’s managed domain name”

Once the rule has been created, you can start the audit from Exchange Admin Center (EAC).

Office365 Archives – Elli Shlomo (eshlomo.us)

Microsoft 365 Blog – Microsoft Tech Community

Block ONMICROSOFT Domain in Office 365

by · July 19, 2018

Microsoft cloud services, especially the Office 365 service, are under attack at all times. Every day, customers experience various sophisticated and varied attacks, whether at the level of identities or phishing. The following Block ONMICROSOFT Domain in Office 365 describes the steps to minimize the exposure of the onmicrosoft domain in Office 365.
Despite the various capabilities and possibilities of the information security layers at the Microsoft cloud services, we encounter another new or sophisticated attack.
The service that is massively attacked in any way is Exchange Online, and the truth is that it’s not surprising at all, and there are several reasons for this. Still, the main one is the vulnerability of users, and, therefore, many attacks are targeted at the user level, such as phishing.
Recently there was a new phishing attack unique to the domain from which the campaign was sent. The attackers open and create a valid Tenant in the Office 365 service, and as a result (naturally), a domain with the onmicrosoft.com extension is opened.
From this moment on, the attackers run the campaign on the domain with the valid extension onmicrosoft.com.
The result is that many campaigns are not blocked because of domain reliability, and many users are exposed to movements that ultimately cause attacks.
Note: Most organizations do not refer to the onmicrosoft domain at all!

How to Block onmicrosoft domain

To block the onmicrosoft.com domain, you need to follow these actions.

  • Create Exchange Transport Rule (ETR) for external onmicrosoft.com domain
  • Make sure that you’re not working with the onmicrosoft.com domain
  • Make sure that the onmicrosoft.com domain and isn’t active
  • If you’re in hybrid mode, the is another scenario to block onmicrosoft domain (need to resubmit and not reject)
  • Audit the new transport rule and make sure there’s no effect

How to Block onmicrosoft domain
Another option is to run the following command from PowerShell:

$TenantDomains = (Get-AcceptedDomain | ? { $_.DomainName -like “onmicrosoft.com” }).Name
New-TransportRule -FromScope NotInOrganization -RecipientDomainIs $TenantDomains -Name “Reject messages to onmicrosoft.com domains” -RejectMessageReasonText “You are not allowed to relay to this user’s managed domain name”

Once the rule has been created, you can start the audit from Exchange Admin Center (EAC).
Office365 Archives – Elli Shlomo (eshlomo.us)
Microsoft 365 Blog – Microsoft Tech Community

Tags:

You may also like...

1 Response

  1. Lior says:
    August 5, 2018 at 6:48 am

    Thanks for this.
    BTW, No wildcards on domain names.

    Reply

Leave a Reply

error: Content is Protected !!
%d