This detection rule is designed to identify messages that have traversed multiple distinct onmicrosoft.com tenants, as an indication of potential phishing activity. The rule relies on specific criteria: it triggers when an inbound message is sent to a single recipient whose domain is an onmicrosoft.com subdomain, devoid of being from the organization's domains. Additionally, the rule checks if the message has traversed two or more distinct onmicrosoft.com subdomains, indicated by authentication results in the message headers. When messages follow this pattern, it raises alerts as this behavior suggests evasion tactics often utilized in callback phishing attacks. This modus operandi aims to obscure the message's origins and present a façade of legitimacy to targeted recipients. The detection employs sender and header analysis to evaluate the message's legitimacy, ensuring that potential threats are actively monitored and addressed.