This detection rule identifies potentially malicious emails originating from the default Microsoft Exchange Online sender domain, `onmicrosoft.com`. This domain is frequently exploited for sending spam and phishing emails. The rule activates when certain conditions are met, such as the sender's email being linked to `onmicrosoft.com` and the email contains links, but is not a reply or forward. Additionally, it excludes automated messages and checks for valid attachments. If any aspect of the sender or message headers indicates benign correspondence (such as those related to known Microsoft domains), the rule will not trigger, thus minimizing false positives. This rule is crucial for environments where emails from `onmicrosoft.com` are not expected, helping in necessary email security enhancements.