Brand impersonation: Microsoft Teams invitation

calendar Dec 15, 2025  ·
Share on: linkedin copy

Detects messages impersonating a Microsoft Teams invites by matching known invite text patterns while containing join links that do not resolve to Microsoft domains. Additional verification includes checking for absent phone dial-in options and missing standard Teams help text or HTML meeting components.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Microsoft Teams invitation"
 2description: "Detects messages impersonating a Microsoft Teams invites by matching known invite text patterns while containing join links that do not resolve to Microsoft domains. Additional verification includes checking for absent phone dial-in options and missing standard Teams help text or HTML meeting components."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and (
 8    (
 9      strings.icontains(body.current_thread.text, 'Microsoft Teams')
10      and strings.icontains(body.current_thread.text, 'join the meeting now')
11      and strings.contains(body.current_thread.text, 'Meeting ID:')
12      and strings.contains(body.current_thread.text, 'Passcode:')
13    )
14    or (
15      strings.icontains(body.current_thread.text, "teams")
16      and 2 of (
17        strings.icontains(body.current_thread.text, "internal"),
18        strings.icontains(body.current_thread.text, "message"),
19        strings.icontains(body.current_thread.text, "meeting")
20      )
21    )
22  )
23  // not a reply
24  and length(headers.references) == 0
25  and headers.in_reply_to is null
26  // few links
27  and length(body.links) < 10
28  
29  // no unsubscribe links
30  // common in newsletters which link to a webinar style event
31  and not any(body.links, strings.icontains(.display_text, "unsub"))
32  
33  // one of the links contains is a CTA that doesn't link to MS
34  and any(body.links,
35          (
36            .display_text =~ "join the meeting now"
37            or strings.icontains(.display_text, "play recording")
38          )
39          and .href_url.domain.root_domain not in (
40            "microsoft.com",
41            "microsoft.us"
42          )
43          // rewriters often abstract the link
44          and .href_url.domain.root_domain not in $bulk_mailer_url_root_domains
45  )
46  // missing the dial by phone element
47  and not strings.icontains(body.current_thread.text, 'Dial in by phone')
48  
49  // any of these suspicious elements from the body
50  and (
51    // malicious samples leveraged recipient domain branding here
52    not strings.icontains(body.current_thread.text, 'Microsoft Teams Need help?')
53    // malicious samples contained unique html elements not present in legit ones
54    or strings.icontains(body.html.raw, '<div class="meeting-title">')
55    or strings.icontains(body.html.raw, '<div class="meeting-time">')
56    or strings.icontains(body.html.raw, '<div class="meeting-location">')
57    or strings.icontains(body.html.raw, '<span class="conflict-badge">')
58    or strings.icontains(body.html.raw, 'class="join-button"')
59  )
60  
61  // negate highly trusted sender domains unless they fail DMARC authentication
62  and (
63    (
64      sender.email.domain.root_domain in $high_trust_sender_root_domains
65      and not headers.auth_summary.dmarc.pass
66    )
67    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
68  )  
69
70attack_types:
71  - "Credential Phishing"
72tactics_and_techniques:
73  - "Impersonation: Brand"
74  - "Social engineering"
75detection_methods:
76  - "Content analysis"
77  - "Header analysis"
78  - "HTML analysis"
79  - "URL analysis"
80id: "46410ad8-3465-505f-a78e-f77704910a91"
to-top