Service abuse: Callback phishing via Microsoft Teams invite

 1name: "Service abuse: Callback phishing via Microsoft Teams invite"
 2description: "Detects abuse of legitimate Microsoft Teams invites containing callback scam content, including brand references and financial transaction language with phone numbers."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and sender.email.domain.domain == "teams.mail.microsoft"
 8  // MS Teams invite indicators
 9  and (
10    any(body.links,
11        .display_text == "Open Microsoft Teams"
12        and (
13          .href_url.domain.domain == "login.microsoftonline.com"
14          or strings.iends_with(.href_url.query_params,
15                                "login.microsoftonline.com"
16          )
17        )
18    )
19  )
20  and (
21    (
22      regex.icontains(strings.replace_confusables(body.current_thread.text),
23                      (
24                        "mcafee|norton|geek.{0,5}squad|pay.?pal|ebay|symantec|best buy|lifelock|(ms|microsoft|teams).{0,10}premium"
25                      )
26      )
27      or 3 of (
28        strings.ilike(body.current_thread.text, '*purchase*'),
29        strings.ilike(body.current_thread.text, '*p?ym?nt*'),
30        strings.ilike(body.current_thread.text, '*transaction*'),
31        strings.ilike(body.current_thread.text, '*subscription*'),
32        strings.ilike(body.current_thread.text, '*antivirus*'),
33        strings.ilike(body.current_thread.text, '*order*'),
34        strings.ilike(body.current_thread.text, '*support*'),
35        strings.ilike(body.current_thread.text, '*help line*'),
36        strings.ilike(body.current_thread.text, '*receipt*'),
37        strings.ilike(body.current_thread.text, '*c?ntact*'),
38        strings.ilike(body.current_thread.text, '*cancel*'),
39        strings.ilike(body.current_thread.text, '*renew*'),
40        strings.ilike(body.current_thread.text, '*refund*'),
41        strings.ilike(body.current_thread.text, '*billing*'),
42        regex.icontains(body.current_thread.text, '[li]nv.[li]ce')
43      )
44    )
45    // phone number regex
46    and any([body.current_thread.text, subject.subject],
47            regex.icontains(.,
48                            '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}'
49            )
50    )
51  )  
52
53attack_types:
54  - "Callback Phishing"
55tactics_and_techniques:
56  - "Impersonation: Brand"
57  - "Out of band pivot"
58  - "Social engineering"
59detection_methods:
60  - "Content analysis"
61  - "URL analysis"
62  - "Sender analysis"
63id: "13e35e5f-6d1e-5844-96a4-41a42f7e06a3"