Service abuse: Microsoft with suspicious indicators in subject

calendar May 7, 2026  ·
Share on: linkedin copy

Detects messages impersonating Microsoft account verification that contain suspicious indicators in the subject line, including phone numbers, monetary amounts, suspicious domains, explicit content, or lengthy action-oriented phrases.

Sublime rule (View on GitHub)

 1name: "Service abuse: Microsoft with suspicious indicators in subject"
 2description: "Detects messages impersonating Microsoft account verification that contain suspicious indicators in the subject line, including phone numbers, monetary amounts, suspicious domains, explicit content, or lengthy action-oriented phrases."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  //
 8  //  Warning: This rule contains sexually explicit keywords
 9  //
10  and sender.email.domain.root_domain == "microsoftonline.com"
11  and strings.icontains(subject.subject, 'account email verification code')
12  and (
13    // phone number regex
14    regex.icontains(subject.base,
15                    '\+?(?:[ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
16                    '\+?(?:[ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
17    )
18    // dollar amounts
19    or regex.icontains(subject.base, '(?:USD|\$)\s?\d')
20    or regex.icontains(subject.base, '\d+\.\d{2}\s?(?:USD|usd)')
21    // suspicious TLDs
22    or regex.icontains(subject.base,
23                       '\.(?:ac\.th|biz\.id|co\.(?:cl|id|za)|com\.(?:ge|py)|my\.id|ne\.jp|net\.ms|nom\.za|web\.id|accountants|am|app|ar|army|beauty|best|bet|bio|biz|bond|cam|cc|cf|cfd|chat|cl|click|cloud|club|cm|company|consulting|country|cricket|cyou|date|dev|digital|directory|domains|download|enterprises|es|expert|fashion|finance|fit|foo|free|fun|ga|gdn|gf|gq|gu|help|i2p|icu|il|ing|ink|ir|jetzt|kim|kz|lat|life|limited|link|live|loan|lol|ltd|ly|me|meme|men|ml|mom|monster|mov|mq|one|online|ooo|party|photos|pictures|pizza|press|pro|pub|pw|racing|re|ren|rest|review|ro|rsvp|ru|run|sale|sbs|science|shop|site|so|social|solutions|space|store|stream|su|sx|tech|tk|today|tokyo|top|trade|tt|ua|uno|us|vip|vu|wang|website|win|work|works|world|ws|xin|xyz|zip|zone)\b'
24    )
25    // dating/spam/explicit content lures
26    or regex.icontains(strings.replace_confusables(subject.base),
27                       '(?:\bs\s?e\s?x\b|horny|hook.?up|private room|wanna meet|wants to meet|naked|porn|webcam|nudes?|sexting|erotic|kinky|seduce|adult community|cam shows|local (?:girls?|women|single)|bed partner)'
28    )
29    // action verbs + length
30    or (
31      strings.count(subject.base, " ") > 8
32      and regex.icontains(strings.replace_confusables(subject.base),
33                          '(?:call|dial|speak to|contact \d|to (?:stop|void|reverse|confirm|secure|verify|unfreeze))'
34      )
35    )
36  )  
37attack_types:
38  - "Credential Phishing"
39  - "Spam"
40tactics_and_techniques:
41  - "Impersonation: Brand"
42  - "Social engineering"
43detection_methods:
44  - "Sender analysis"
45  - "Content analysis"
46id: "8967fec1-2664-5e5e-8f0f-063903ba68cd"
to-top