KQL Search

Query Details

HomeAI ToolsDevice Query

Detecting Onmicrosoft Domains Impacted By Email Exchange Restrictions With External Domains

Query

**Detecting Onmicrosoft domains impacted by email exchange restrictions with External Domains(June 2026)**

 Microsoft has announced new restrictions on email sending for organizations that use the default onmicrosoft domains.
A throttling system will be enforced, limiting external email delivery to a maximum of 100 recipients per organization every 24 hours. To summarize:

1. Microsoft limits onmicrosoft.com domains to 100 external emails daily.
2. Targets cybercriminals exploiting new tenants, protecting shared domain reputation.
3. Organizations must purchase custom domains, rollout phases through June 2026.

The following KQL Query shows the number of distinct external domains where your onmicosoft.com domain, has been sending emails during a day. Could be that you don't detect 100 domains x day but in any case, I would recommend to start to purchase / configure your own domains instead of use the mentioned one.

```
EmailEvents
| where SenderFromDomain endswith "onmicrosoft.com"
| extend Date_F = format_datetime(Timestamp, "yyyy-MM-dd")
| summarize make_set(RecipientDomain), Total_External_Domains=dcount(RecipientDomain) by SenderFromDomain,Date_F
| order by Total_External_Domains

```

Explanation

This KQL query is designed to help organizations using the default "onmicrosoft.com" domains understand their email sending patterns to external domains. Here's a simple breakdown of what the query does:

  1. Filter Emails: It looks at email events where the sender's domain ends with "onmicrosoft.com". This means it's focusing on emails sent from the default Microsoft domains.

  2. Extract Date: It formats the timestamp of each email to just the date (year-month-day), so it can group emails by the day they were sent.

  3. Summarize Data: For each day and each "onmicrosoft.com" domain, it creates a list of distinct external domains that received emails. It also counts how many different external domains received emails from each "onmicrosoft.com" domain on that day.

  4. Order Results: Finally, it orders the results by the total number of distinct external domains contacted, from the least to the most.

The purpose of this query is to help organizations identify how many different external domains they are emailing each day using their "onmicrosoft.com" domain. Given the new restrictions from Microsoft, which limit external email delivery to 100 recipients per organization every 24 hours, this query can help organizations assess whether they are close to or exceeding this limit. It also serves as a prompt for organizations to consider purchasing and configuring their own custom domains to avoid these restrictions and protect their email reputation.

Details

Sergio Albea profile picture

Sergio Albea

Released: August 23, 2025

Tables

EmailEvents

Keywords

EmailEventsSenderFromDomainRecipientDomainTimestamp

Operators

endswithextendformat_datetimesummarizemake_setdcountorder by

Actions