Callback phishing via MicrosoftOnline comment
Detects callback scam messages originating from legitimate Microsoft infrastructure but containing fraudulent content designed to trick recipients into calling scammer phone numbers. The message includes typical callback phishing language around purchases, payments, subscriptions, or support services along with embedded phone numbers, while passing Microsoft's authentication checks.
Sublime rule (View on GitHub)
1name: "Callback phishing via MicrosoftOnline comment"
2description: "Detects callback scam messages originating from legitimate Microsoft infrastructure but containing fraudulent content designed to trick recipients into calling scammer phone numbers. The message includes typical callback phishing language around purchases, payments, subscriptions, or support services along with embedded phone numbers, while passing Microsoft's authentication checks."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(attachments) == 0
8
9 // Legitimate MicrosoftOnline sending infratructure
10 and sender.email.domain.root_domain == 'microsoftonline.com'
11 and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
12
13 // Callback Phishing
14 and (
15 any(ml.nlu_classifier(body.current_thread.text).intents,
16 .name in ("callback_scam")
17 and .confidence in ("medium", "high")
18 and length(body.current_thread.text) < 1750
19 )
20 or 3 of (
21 strings.ilike(body.current_thread.text, '*purchase*'),
22 strings.ilike(body.current_thread.text, '*payment*'),
23 strings.ilike(body.current_thread.text, '*transaction*'),
24 strings.ilike(body.current_thread.text, '*subscription*'),
25 strings.ilike(body.current_thread.text, '*antivirus*'),
26 strings.ilike(body.current_thread.text, '*order*'),
27 strings.ilike(body.current_thread.text, '*support*'),
28 strings.ilike(body.current_thread.text, '*help line*'),
29 strings.ilike(body.current_thread.text, '*receipt*'),
30 strings.ilike(body.current_thread.text, '*invoice*'),
31 strings.ilike(body.current_thread.text, '*call*'),
32 strings.ilike(body.current_thread.text, '*cancel*'),
33 strings.ilike(body.current_thread.text, '*renew*'),
34 strings.ilike(body.current_thread.text, '*refund*')
35 )
36 )
37 // phone number regex
38 and any([body.current_thread.text, subject.subject],
39 regex.icontains(.,
40 '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
41 '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
42 )
43 )
44
45
46attack_types:
47 - "Callback Phishing"
48tactics_and_techniques:
49 - "Impersonation: Brand"
50 - "Out of band pivot"
51 - "Social engineering"
52detection_methods:
53 - "Content analysis"
54 - "Header analysis"
55 - "Natural Language Understanding"
56 - "Sender analysis"
57id: "8346c7b9-1b46-50e7-b04e-b32969db8737"