Detection rules › Sublime MQL
Service abuse: Callback phishing via Microsoft Teams invite
Detects abuse of legitimate Microsoft Teams invites containing callback scam content, including brand references and financial transaction language with phone numbers.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Callback Phishing |
| Tactics and techniques | Impersonation: Brand, Out of band pivot, Social engineering |
Event coverage
Rule body MQL
type.inbound
and sender.email.domain.domain == "teams.mail.microsoft"
// MS Teams invite indicators
and (
any(body.links,
.display_text == "Open Microsoft Teams"
and (
.href_url.domain.domain == "login.microsoftonline.com"
or strings.iends_with(.href_url.query_params,
"login.microsoftonline.com"
)
)
)
)
and (
(
regex.icontains(strings.replace_confusables(body.current_thread.text),
(
"mcafee|norton|geek.{0,5}squad|pay.?pal|ebay|symantec|best buy|lifelock|(ms|microsoft|teams).{0,10}premium"
)
)
or 3 of (
strings.ilike(body.current_thread.text, '*purchase*'),
strings.ilike(body.current_thread.text, '*p?ym?nt*'),
strings.ilike(body.current_thread.text, '*transaction*'),
strings.ilike(body.current_thread.text, '*subscription*'),
strings.ilike(body.current_thread.text, '*antivirus*'),
strings.ilike(body.current_thread.text, '*order*'),
strings.ilike(body.current_thread.text, '*support*'),
strings.ilike(body.current_thread.text, '*help line*'),
strings.ilike(body.current_thread.text, '*receipt*'),
strings.ilike(body.current_thread.text, '*c?ntact*'),
strings.ilike(body.current_thread.text, '*cancel*'),
strings.ilike(body.current_thread.text, '*renew*'),
strings.ilike(body.current_thread.text, '*refund*'),
strings.ilike(body.current_thread.text, '*billing*'),
regex.icontains(body.current_thread.text, '[li]nv.[li]ce')
)
)
// phone number regex
and any([body.current_thread.text, subject.subject],
regex.icontains(.,
'\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}'
)
)
)
Detection logic
Scope: inbound message.
Detects abuse of legitimate Microsoft Teams invites containing callback scam content, including brand references and financial transaction language with phone numbers.
- inbound message
- sender.email.domain.domain is 'teams.mail.microsoft'
any of
body.linkswhere all hold:- .display_text is 'Open Microsoft Teams'
any of:
- .href_url.domain.domain is 'login.microsoftonline.com'
- .href_url.query_params ends with 'login.microsoftonline.com'
all of:
any of:
- strings.replace_confusables(body.current_thread.text) matches 'mcafee|norton|geek.{0,5}squad|pay.?pal|ebay|symantec|best buy|lifelock|(ms|microsoft|teams).{0,10}premium'
at least 3 of 15: body.current_thread.text matches any of 15 patterns
*purchase**p?ym?nt**transaction**subscription**antivirus**order**support**help line**receipt**c?ntact**cancel**renew**refund**billing*[li]nv.[li]ce
any of
[body.current_thread.text, subject.subject]where:- . matches '\\+?([ilo0-9]{1}.)?\\(?[ilo0-9]{3}?\\)?.[ilo0-9]{3}.?[ilo0-9]{4}'
Inspects: body.current_thread.text, body.links, body.links[].display_text, body.links[].href_url.domain.domain, body.links[].href_url.query_params, sender.email.domain.domain, subject.subject, type.inbound. Sensors: regex.icontains, strings.iends_with, strings.ilike, strings.replace_confusables.
Indicators matched (21)
| Field | Match | Value |
|---|---|---|
sender.email.domain.domain | equals | teams.mail.microsoft |
body.links[].display_text | equals | Open Microsoft Teams |
body.links[].href_url.domain.domain | equals | login.microsoftonline.com |
strings.iends_with | suffix | login.microsoftonline.com |
regex.icontains | regex | mcafee|norton|geek.{0,5}squad|pay.?pal|ebay|symantec|best buy|lifelock|(ms|microsoft|teams).{0,10}premium |
strings.ilike | substring | *purchase* |
strings.ilike | substring | *p?ym?nt* |
strings.ilike | substring | *transaction* |
strings.ilike | substring | *subscription* |
strings.ilike | substring | *antivirus* |
strings.ilike | substring | *order* |
strings.ilike | substring | *support* |
9 more
strings.ilike | substring | *help line* |
strings.ilike | substring | *receipt* |
strings.ilike | substring | *c?ntact* |
strings.ilike | substring | *cancel* |
strings.ilike | substring | *renew* |
strings.ilike | substring | *refund* |
strings.ilike | substring | *billing* |
regex.icontains | regex | [li]nv.[li]ce |
regex.icontains | regex | \+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4} |