Detection rules › Sublime MQL
Callback phishing via Microsoft comment
Detects callback scam messages originating from legitimate Microsoft infrastructure but containing fraudulent content designed to trick recipients into calling scammer phone numbers. The message includes typical callback phishing language around purchases, payments, subscriptions, or support services along with embedded phone numbers, while passing Microsoft's authentication checks.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Callback Phishing |
| Tactics and techniques | Impersonation: Brand, Out of band pivot, Social engineering |
Event coverage
| Message attribute |
|---|
| body.current_thread |
| sender.email |
| subject |
| type |
Rule body MQL
type.inbound
and length(attachments) == 0
and length(body.current_thread.text) < 1750
// Legitimate MicrosoftOnline sending infrastructure
// or invites@microsoft.com abuse
and (
(
sender.email.domain.root_domain in ('microsoftonline.com')
or sender.email.email == "invites@microsoft.com"
)
// Callback Phishing
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name in ("callback_scam", "cred_theft")
and .confidence in ("medium", "high")
)
or 3 of (
strings.ilike(body.current_thread.text, '*purchase*'),
strings.ilike(body.current_thread.text, '*payment*'),
strings.ilike(body.current_thread.text, '*transaction*'),
strings.ilike(body.current_thread.text, '*subscription*'),
strings.ilike(body.current_thread.text, '*antivirus*'),
strings.ilike(body.current_thread.text, '*order*'),
strings.ilike(body.current_thread.text, '*support*'),
strings.ilike(body.current_thread.text, '*help line*'),
strings.ilike(body.current_thread.text, '*receipt*'),
strings.ilike(body.current_thread.text, '*invoice*'),
strings.ilike(body.current_thread.text, '*call*'),
strings.ilike(body.current_thread.text, '*cancel*'),
strings.ilike(body.current_thread.text, '*renew*'),
strings.ilike(body.current_thread.text, '*refund*')
)
)
// phone number regex
and any([body.current_thread.text, subject.subject],
regex.icontains(.,
'\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
'\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
)
)
)
Detection logic
Scope: inbound message.
Detects callback scam messages originating from legitimate Microsoft infrastructure but containing fraudulent content designed to trick recipients into calling scammer phone numbers. The message includes typical callback phishing language around purchases, payments, subscriptions, or support services along with embedded phone numbers, while passing Microsoft's authentication checks.
- inbound message
- length(attachments) is 0
- length(body.current_thread.text) < 1750
all of:
any of:
- sender.email.domain.root_domain in ('microsoftonline.com')
- sender.email.email is 'invites@microsoft.com'
any of:
any of
ml.nlu_classifier(body.current_thread.text).intentswhere all hold:- .name in ('callback_scam', 'cred_theft')
- .confidence in ('medium', 'high')
at least 3 of 14: body.current_thread.text matches any of 14 patterns
*purchase**payment**transaction**subscription**antivirus**order**support**help line**receipt**invoice**call**cancel**renew**refund*
any of
[body.current_thread.text, subject.subject]where:. matches any of 2 patterns
\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}
Inspects: body.current_thread.text, sender.email.domain.root_domain, sender.email.email, subject.subject, type.inbound. Sensors: ml.nlu_classifier, regex.icontains, strings.ilike.
Indicators matched (22)
| Field | Match | Value |
|---|---|---|
sender.email.domain.root_domain | member | microsoftonline.com |
sender.email.email | equals | invites@microsoft.com |
ml.nlu_classifier(body.current_thread.text).intents[].name | member | callback_scam |
ml.nlu_classifier(body.current_thread.text).intents[].name | member | cred_theft |
ml.nlu_classifier(body.current_thread.text).intents[].confidence | member | medium |
ml.nlu_classifier(body.current_thread.text).intents[].confidence | member | high |
strings.ilike | substring | *purchase* |
strings.ilike | substring | *payment* |
strings.ilike | substring | *transaction* |
strings.ilike | substring | *subscription* |
strings.ilike | substring | *antivirus* |
strings.ilike | substring | *order* |
10 more
strings.ilike | substring | *support* |
strings.ilike | substring | *help line* |
strings.ilike | substring | *receipt* |
strings.ilike | substring | *invoice* |
strings.ilike | substring | *call* |
strings.ilike | substring | *cancel* |
strings.ilike | substring | *renew* |
strings.ilike | substring | *refund* |
regex.icontains | regex | \+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4} |
regex.icontains | regex | \+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4} |