The onmicrosoft.com domain is a tenant address. It is the initial domain with which the tenant was created. This domain is also referred to as the MOERA (Microsoft Online Email Routing Address) domain.
However, this domain is never normally used to send emails. Therefore, it is a good idea to block all emails coming from any onmicrosoft.com domain. These domains could be abused by attackers who register their own tenant for more credibility, but do not register a custom domain.
Creating a transport rule on Exchange Online
Blocking the onmicrosoft.com domain for incoming mail is possible using a transport rule on Exchange Online.
So go to the Exchange Admin Center and open Mail flow – Rules.
Here you create a new rule where the condition is The sender address matches any of these text patterns ‘.onmicrosoft.com’.
As an action, I recommend quarantining the email. This is so that you can release it from quarantine if necessary if it turns out to be a false positive.
Lastly, it’s important to add your own tenant’s address to the exceptions. Various internal services use the MOERA address, so you need to put it in the exceptions to this rule.
You can leave the rule settings at the default settings.
You can find a detailed video showing all the settings with spoken commentary describing each configuration option in detail on my Patreon. By subscribing you also support my work. Thank you!
