Callback phishing via Microsoft comment

calendar Apr 13, 2026  ·
Share on: linkedin copy

Detects callback scam messages originating from legitimate Microsoft infrastructure but containing fraudulent content designed to trick recipients into calling scammer phone numbers. The message includes typical callback phishing language around purchases, payments, subscriptions, or support services along with embedded phone numbers, while passing Microsoft's authentication checks.

Sublime rule (View on GitHub)

 1name: "Callback phishing via Microsoft comment"
 2description: "Detects callback scam messages originating from legitimate Microsoft infrastructure but containing fraudulent content designed to trick recipients into calling scammer phone numbers. The message includes typical callback phishing language around purchases, payments, subscriptions, or support services along with embedded phone numbers, while passing Microsoft's authentication checks."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(attachments) == 0
 8  and length(body.current_thread.text) < 1750
 9  
10  // Legitimate MicrosoftOnline sending infrastructure
11  // or invites@microsoft.com abuse
12  and (
13    (
14      sender.email.domain.root_domain in ('microsoftonline.com')
15      or sender.email.email == "invites@microsoft.com"
16    )
17  
18    // Callback Phishing
19    and (
20      any(ml.nlu_classifier(body.current_thread.text).intents,
21          .name in ("callback_scam", "cred_theft")
22          and .confidence in ("medium", "high")
23      )
24      or 3 of (
25        strings.ilike(body.current_thread.text, '*purchase*'),
26        strings.ilike(body.current_thread.text, '*payment*'),
27        strings.ilike(body.current_thread.text, '*transaction*'),
28        strings.ilike(body.current_thread.text, '*subscription*'),
29        strings.ilike(body.current_thread.text, '*antivirus*'),
30        strings.ilike(body.current_thread.text, '*order*'),
31        strings.ilike(body.current_thread.text, '*support*'),
32        strings.ilike(body.current_thread.text, '*help line*'),
33        strings.ilike(body.current_thread.text, '*receipt*'),
34        strings.ilike(body.current_thread.text, '*invoice*'),
35        strings.ilike(body.current_thread.text, '*call*'),
36        strings.ilike(body.current_thread.text, '*cancel*'),
37        strings.ilike(body.current_thread.text, '*renew*'),
38        strings.ilike(body.current_thread.text, '*refund*')
39      )
40    )
41    // phone number regex
42    and any([body.current_thread.text, subject.subject],
43            regex.icontains(.,
44                            '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
45                            '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
46            )
47    )
48  )  
49
50attack_types:
51  - "Callback Phishing"
52tactics_and_techniques:
53  - "Impersonation: Brand"
54  - "Out of band pivot"
55  - "Social engineering"
56detection_methods:
57  - "Content analysis"
58  - "Header analysis"
59  - "Natural Language Understanding"
60  - "Sender analysis"
61id: "8346c7b9-1b46-50e7-b04e-b32969db8737"
to-top