Forum Discussion

Erin Scupham's avatar
Erin Scupham
Copper Contributor
Aug 31, 2016

onmicrosoft.com accounts

Hi, looking to understand more about the onmicrosoft.com domain in O365 tenants, which I've seen some info here. We are looking to cleanup users in our tenant that was created quite some time ago.  We have hundreds of users with the onmicrosoft.com instead of our company's domain that we've since added.  How have others done this cleanup?  Do you mass delete all users with the onmicrosoft.com emails?  Is it correct to assume that all the .onmicrosoft.com accounts were added prior to us adding our company's domain?  What happens when you swith the default from onmicrosoft.com to your companys primary domain?

  • The .onmicrosoft.com users were either created before you synced your domain or created manually in O365. You can switch their UPN to be your corporate domain instead of .onmicrosoft.com and users should then be able to login with their corporate credentials (assuming you are doing some form of AD Connect or Sync). The one limitation as far as I know is that after switching the UPN suffix their profile properties won't sync fully since the pre-existing properties will be preserved. At least that is what I've seen in practice.
  • The .onmicrosoft.com users were either created before you synced your domain or created manually in O365. You can switch their UPN to be your corporate domain instead of .onmicrosoft.com and users should then be able to login with their corporate credentials (assuming you are doing some form of AD Connect or Sync). The one limitation as far as I know is that after switching the UPN suffix their profile properties won't sync fully since the pre-existing properties will be preserved. At least that is what I've seen in practice.
  • Dean_Gross's avatar
    Dean_Gross
    Silver Contributor

    my current client is using onmicosoft.com accounts for administrative purposes. Their admins use their domain accounts for day-to-day activities and when they need to do admin tasks, they open an in-private session to login with their onmicrosoft.com account.

  • Jeff Milne's avatar
    Jeff Milne
    Brass Contributor
    This is an old discussion that doesn't appear to have been resolved - but it's the 1st thing that came up that seemed relevant from the threat analysis service for an email I was evaluating that looks like a phishing attack. I recently got that email through O365 and it was in a Junk folder. It looks to be rightly placed there. I'm a customer of O365 too.

    From the link provided by the originator of this thread, Erin Scupham, the Microsoft documentation regarding "onmicrosoft.com" seems to contradict what I'm seeing.

    From the docs referenced above:
    (i.e. https://docs.microsoft.com/en-us/microsoft-365/admin/setup/domains-faq?redirectSourcePath=%252fen-us%252farticle%252fAbout-your-initial-onmicrosoft-com-domain-in-Office-365-b9fc3018-8844-43f3-8db1-1b3a8e9cfd5a&view=o365-worldwide)

    The email in question looks like a phishing attack from:

    "Ryoko Wifi Router <Email address removed>"

    So the domain is "onmicrosoft.com" and there's a subdomain of nonsensical randomized characters "rpahcxialx".

    The documentation from above says:

    "Can I add custom subdomains or multiple domains to Microsoft 365?

    Yes. To add subdomains, **you must manage your own DNS settings at your registrar's website**. If you are letting Microsoft manage your DNS settings with NS records, or if you bought the domain from Microsoft, **you can't add subdomains**."

    Since "onmicrosoft.com" is a Microsoft domain - I would assume that the Microsoft rule would apply "you can't add subdomains". This person/user is obviously not managing their own DNS or domain. But they have a subdomain of gibberish under a legit Microsoft domain making it look somewhat benign and they are using the service to spam people (at a minimum), but it looks more like a phishing attack. That's NOT good! I assume you understand the concept - bad, unreputable subdomains under your good, reputable domain is a terrible business practice.

    So, what is going on? Why, or how, can someone use a legitimate domain from a major SaaS/Cloud vendor to spam, or much worse, attack other people? By using a subdomain from a legit domain makes this email looks harmless to most normal people. I don't know how dangerous this email is, if at all, and I'm not going to find out by clicking on anything. In the USA - we recently had 40% of the petrol to the east coast shut down by a ransomware attack and this is the primary method to gain access by criminals. I haven't done a full analysis of the header yet. I wanted to do a threat lookup of the domain first. I thought the domain name was a rather clever spoof of Microsoft, but whois says Microsoft owns the domain…! Well I'll be…

    I'm scratching my head here on how a rogue subdomain can be launched under a legit "big-3" cloud provider domain…???!!!!

    I have to say that I'm literally tired and warn out from patching all the holes and chasing down attacks to eliminate them before they can do damage. You guys need to do A LOT better! A 2 trillion dollar company should have the resources to make a huge difference, but… the issues just keep piling up… on us.

    Any insight would be appreciated.

    Jeff

    P.S. Steve Gibson, a real security expert, has some awesome and pointed critiques of the continued degradation of Windows security outcomes.

    See:

    Aug 17th 2021
    SECURITY NOW 832
    MICROSOFT’S CULPABLE NEGLIGENCE
    https://twit.tv/shows/security-now/episodes/832
    We invite you to read our show notes at https://www.grc.com/sn/SN-832-Notes.pdf

    Aug 24th 2021
    SECURITY NOW 833
    MICROSOFT’S REASONED NEGLECT
    https://twit.tv/shows/security-now/episodes/833
    We invite you to read our show notes at https://www.grc.com/sn/SN-833-Notes.pdf

    Sep 28th 2021
    SECURITY NOW 838
    AUTODISCOVER.FIASCO
    https://twit.tv/shows/security-now/episodes/838?autostart=false

    Live Shows
    https://twit.tv/shows/security-now

    Transcripts and audio & video downloads:
    https://www.grc.com/securitynow.htm
    • ETruss66235423423's avatar
      ETruss66235423423
      Copper Contributor

      Jeff Milne 

      I'm one of the victims of this.  I've just started receiving spam emails from someone using this domain.  I tried adding a rule to delete these emails but they keep appearing in my Junk Email.  Am I doing something wrong?

    • kodikotus33's avatar
      kodikotus33
      Copper Contributor
      I'm also a victim of this, I'm inundated with thousands of these onmicrosoft accounts that appear to be phishing attacks. Filter rules don't work they are still getting through. It's so old.
      • kodikotus33's avatar
        kodikotus33
        Copper Contributor

        kodikotus33 

        Here's a sampling.... it's a constant barrage;

        xyhhssibei.onmicrosoft.com

        dxphqvmrmu.onmicrosoft.com

        zfjdsgydmv.onmicrosoft.com

        vcwkyadega.onmicrosoft.com

        Email address removed

        uxngoheepsonmicrosoft.com

        hghzoznmys.onmicrosoft.com

        rkffcyunqg.onmicrosoft.com

        onwvkhwhse.onmicrosoft.com

        sbwojbvcew.onmicrosoft.com

        ldkpfcfsdc.onmicrosoft.com

        crnkskcvsb.onmicrosoft.com

        wghzoznmys.onmicrosoft.com

        xredvszvtxonmicrosoft.com

  • a lot of companys start with Onmicrosoft.com accounts and after they add the domain they change it. you should check if you did not add aliasses to the onmicrosoft.com accounts before deleteing. In another case they use the Onmicrosoft.com accounts for admin accounts so it is clear who is a admin. kr, Paul
  • Patrick Yore's avatar
    Patrick Yore
    Copper Contributor
    You can change these accounts to your public routable UPN which is normally the users email address. If you run the following command to change this using PowerShell Set-MsolUserPrincipalName -UserPrincipalName test.me@onmicrosoft.com -NewUserPrincipalName test.me@primarysmtp.com or if you want to change lots of users you can import from a CSV file the list of addresses you want changed and changed to import-csv c:\temp\names.csv | foreach{Set-MsolUserPrincipalName -UserPrincipalName $_.Users -NewUserPrincipalName $_.Email }

Resources