Brand impersonation: Microsoft Teams
Impersonation of a Microsoft Teams message.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Microsoft Teams"
2description: |
3 Impersonation of a Microsoft Teams message.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and any(attachments,
9 (.file_type in $file_types_images or .file_type == "pdf")
10 and any(file.explode(.),
11 regex.icontains(.scan.ocr.raw, "trying to reach you.*microsoft teams")
12 )
13 )
14 and sender.email.domain.root_domain not in ("microsoft.com", "microsoftsupport.com", "office.com")
15attack_types:
16 - "Credential Phishing"
17tactics_and_techniques:
18 - "Impersonation: Brand"
19 - "Social engineering"
20detection_methods:
21 - "Content analysis"
22 - "File analysis"
23 - "Optical Character Recognition"
24 - "Sender analysis"
25id: "9cd53055-8e1a-5a45-b78f-34a62f0793dd"