Some hackers using thousands of hotmail.com accunts to send spams,all emails are SPF,DKIM passed,that means it is 100% sure from microsoft's server.

For example,if my domain is abcde.com,they are sending as below

From: jacket <hotmail email> To:jacket@abcde.com

From: tommy <hotmail email> To:tommy@abcde.com

From: steven <hotmail email> To:steven@abcde.com

The account part before @abcde.com is usd at From header. Is it possible to add new filter for this?

the mail subject,content is random,only few words,i think they are using this method to validate the email account of my domain.

No, these emails forged. They are not coming from Hotmail's server. I assume you're looking at the "From" header in the email message. Look at the MAIL FROM value in the SMTP envelope instead. Most likely that will not say Hotmail.com. Check https://www.xeams.com/difference-envelope-header.htm to see the difference between email header and smtp envelope.

I can confidently say this is a forgery because the example you sent is a common method of deceiving the recipient to think the message came from Hotmail. In fact, Xeams has a filter that looks for such tricks and assigns a score.

It is 100% sure from microsoft's server. Those spammers batch rigister hotmail and gmail account with 10~20 length with random letter. All thse accounts are used to send few emails per day,the microsoft is hard to catch spam hehavier. 

Sometimes they only send email with few letter in subject and content to valid the recipient.

X-SM_EnvelopeFrom: noseslwlit@hotmail.com
X-SM_SENDER_IP: 40.92.253.28
X-SM_HeloStrInEnvelope: EHLO APC01-SG2-obe.outbound.protection.outlook.com
X-SMRecipient: guduhr@MYDOMAIN.COM
X-SM_RECEIVED_ON: Thu, 14 Jan 2021 06:22:40 +0800 (CST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=Tkxy9roCn4vWeIDorlnqei98bEXful4/X6fY1mN4vdy+4oXqaQa1xuUTwWdQ8DeBbhPstnMaojocrgELAZ5OD3hudrPPGgPw1gmK1gX/DqA58rCqf1aawyL8zv0qzBIZ/10c24J6FQGV4AETuQIfe+EKMlOZXFeCOaObwNaitWR/ObEr7FLoIelZa1HRPITX30Rygm2WlBW+FE+ddKonjUezQbIpl4CrnLcf+nBNSLqEnrGwvmDX05YQCzZ4UADFgTx0Mv+XcVUbKibhYmCQyYUvgYnHiFSL+TKOWjESWiNJe4iIhNWjF6pL+RLkCscgLbyaI1AxijkfXCdSzKPjpQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=jwN8J50i0EccK3MVTpv16FLQgD8KYaz+4RfgQaqv67I=;
b=gKRozhgXcyXm7yaQbIb4CcxzkOFT0B8Ruev1LGgx4HrAtP2LdpkWJwUzQsyVQl31rw1JQdHL0oX94iPj4+4XgCZYhBbxpZH+IoA9XeZRGC1GpRaHVtSGliv847Flad3un/UFHlRofeJvdj28/g2U8Cl8y8DDLdn63sCrVPmnqILg9Cjk69S3XjIo6aHd/6FmiXVpEP5qg87GgxGcRx0/lQMS5JyUqQfmDW7EQELF9wqWmG51m93hgBANFOv9xnWUUpl5PKfe1eQAkAxwvvrRHQifh9NH53RyTzO330pOjWaAH4r0bVs9x5QJdaDOvn6BNQ+NCAcXe+hQ3ysuSFJY9w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com;
s=selector1;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=jwN8J50i0EccK3MVTpv16FLQgD8KYaz+4RfgQaqv67I=;
b=RrsVjqLNG+fo+3PxSpOHxcotNzyiBmW6ldt2y9LDXDod1sisyjID1MxnFikd4Spg+dgkHzB9cAPpcxC8KTCChGybbbsdET3kGqoRxFRtqopsJN2b2ilCiuyyJq8KxHKQ6rWiyvERd5M2QKqXszoGEcv3GIgpnVDZtQ2PJsQ5X4ur9ycVQQHsGtw1haNSee4YPwhMsC4GrtVgPLxuBO/qIrmLR7STmYnWK1glcrr2q0OnGeDHQhOuA/KM79I0h1ncXYwNMS0ZXHE1z+v6lzvE1rxiUHB1rlruG77CeehPG/FSqQ270sa+ncRlGtTqXuBH8oxyURfQ6PnmhnqE256eZg==
Received: from HK2APC01FT023.eop-APC01.prod.protection.outlook.com
(2a01:111:e400:7ebc::46) by
HK2APC01HT161.eop-APC01.prod.protection.outlook.com (2a01:111:e400:7ebc::391)
with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3763.10; Wed, 13 Jan
2021 22:22:37 +0000
Received: from OSBPR01MB2136.jpnprd01.prod.outlook.com (10.152.248.52) by
HK2APC01FT023.mail.protection.outlook.com (10.152.248.222) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.3742.6 via Frontend Transport; Wed, 13 Jan 2021 22:22:37 +0000
X-IncomingTopHeaderMarker:
OriginalChecksum:0C759767D2530D903A94B09214C53C2F21F74C7B201ECB38B0C4556DCD85B085;UpperCasedChecksum:BF64DC42A80BE7D8AB39E94C7AA4605DC9D3871361E8FF43D949C2A61494D075;SizeAsReceived:8374;Count:43
Received: from OSBPR01MB2136.jpnprd01.prod.outlook.com
([fe80::346b:fe02:36ee:ea96]) by OSBPR01MB2136.jpnprd01.prod.outlook.com
([fe80::346b:fe02:36ee:ea96%3]) with mapi id 15.20.3742.012; Wed, 13 Jan 2021
22:22:36 +0000
From: guduhr <noseslwlit@hotmail.com>
To: guduhr <guduhr@MYDOMAIN.COM>
Subject: =?utf-8?B?5b+955af5rKl6K+d6JS86L6Q5aWz5bmy?=
Date: Thu, 14 Jan 2021 06:22:23 +0800
Message-ID:
<OSBPR01MB213681EFF368EB5372AC0021C1A90@OSBPR01MB2136.jpnprd01.prod.outlook.com>
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_02E2_017C9EA4.1DFDE760"
X-Mailer: Microsoft Outlook 16.0
X-TMN: [lL5N6pr487+wNdgOxYMrCUT0YgxCijzd]
X-ClientProxiedBy: HK2PR0401CA0004.apcprd04.prod.outlook.com
(2603:1096:202:2::14) To OSBPR01MB2136.jpnprd01.prod.outlook.com
(2603:1096:603:20::10)
Return-Path: noseslwlit@hotmail.com
X-Microsoft-Original-Message-ID: <006cdbb9bdf4$4a634b5a$3847415a$@pgquv>
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from pgquv (222.67.186.87) by HK2PR0401CA0004.apcprd04.prod.outlook.com (2603:1096:202:2::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3763.9 via Frontend Transport; Wed, 13 Jan 2021 22:22:36 +0000
X-MS-PublicTrafficType: Email
X-IncomingHeaderCount: 43
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-Correlation-Id: f3c9014c-e798-4813-306a-08d8b811bb45
X-MS-TrafficTypeDiagnostic: HK2APC01HT161:
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:
vLSZhOCwqEeR6fqVAB7sRHFwNXKmBClswlj4qVeY5L7EoPl/kOl56RFOXTaRYim6k7/FgC/eowibIc63NW+5bYoQKpxT+yGhRi7xfc2Sh8k+G77xsShIdYIlwuOAGhH62f3+3SBDGmE16Gxr9EOYaa2yLVESe1S53Y8GC7lje2u1RJ2NEm2rFDrYzzW0m3njgcFda8tR1lgS42FXR60yyR3Q94Q2Xa9krcqcnoFxA81kZc45WTRPZrsZVyeCGav+
X-MS-Exchange-AntiSpam-MessageData:
Ve72Njl36VmLhydf50EMxSmjkx3OnVgvA30OxmmSWIf7vOdLcJckGXqXSPobgwvNiQYx0fgDSiXEEfSxrUOVBi5OrRDtQJZnw1Kv//O/BO8VZ8gFxVnt7X52PuNaD7exdW0NBGdtNKwPltnxhiiX8g==
X-OriginatorOrg: hotmail.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Jan 2021 22:22:36.7634
(UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-Network-Message-Id: f3c9014c-e798-4813-306a-08d8b811bb45
X-MS-Exchange-CrossTenant-AuthSource:
HK2APC01FT023.eop-APC01.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg:
00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HK2APC01HT161

Yes, this example came from Microsoft. I recommend you report this Microsoft as mentioned on sendersupport.olc.protection.outlook.com/pm/policies.aspx . Search for Abuse and Spam Reporting towards the bottom.

What score did you get in Xeams? Was the message blocked?

It is about -50 when they sending with only very few word in subject and content. Bayesian thinks it good and SPF pass.

But when they are really sending AD,it is easy to catch them by body key word filter.

I see the following line in the header that you posted earlier:

Received: from pgquv (222.67.186.87) by HK2PR0401CA0004.apcprd04.prod.outlook.com (2603:1096:202:2::14) with Microsoft SMTP Server

This means they are an email client on their desktop rather than Hotmail's web interface. Look at the sender's IP address in these emails. If they are coming from a handful of IP addresses, you can create a Header filter to look for them.

I have collected about 3000 hotmail accounts that are sending spams,the email first part is random letter,such as:

nesledojuub@hotmail.com
mcsladooglkox@hotmail.com
fsuspk@hotmail.com
saydoaezkpmnl@hotmail.com
zkpowrutwah@hotmail.com
ytlkwwsrhs@hotmail.com
orqjnkm@hotmail.com
sbxosildr@hotmail.com
dzqdvxjcb@hotmail.com
oarhfbsu@hotmail.com
theeteyjulvm@hotmail.com
zkpowrutwah@hotmail.com
mcsetheqfjf@hotmail.com
qnssiv@hotmail.com
salezeaitlwdo@hotmail.com
rupoizx@hotmail.com
glpfmai@hotmail.com
teddagisuplmp@hotmail.com
nycheighrpapm@hotmail.com
xnnepqndi@hotmail.com
sheditmgc@hotmail.com
simawynv@hotmail.com
ozqxjr@hotmail.com
fyllzrv@hotmail.com
fwetmbiv@hotmail.com
shathedwgcp@hotmail.com
lateshoaiwrgn@hotmail.com
sxdogqmj@hotmail.com
cempjj@hotmail.com
vswjdbyjebf@hotmail.com
teaunounqtib@hotmail.com

One more suggestion. I see that the IP address 222.67.186.87 is black listed on SpamHaus XBL. You could add an XBL filter in Xeams using the following configuration:

VERY IMPORTANT: Under normal circumstances we do NOT recommend checking the "Check only first IP in the header" box. That can result in many false positives. However, since you're under attack, do this temporarily and remove it once done.

You could also enable RBLServer.log in Xeams. Check https://xeams.com/xeams-log-files.htm , select the tab for Additional Logging and see RBL Servers.

Huh