Brand Impersonation: Microsoft Teams Invitation

calendar May 5, 2025  ·
Share on: linkedin copy

Detects messages impersonating a Microsoft Teams invites by matching known invite text patterns while containing join links that do not resolve to Microsoft domains. Additional verification includes checking for absent phone dial-in options and missing standard Teams help text or HTML meeting components.

Sublime rule (View on GitHub)

 1name: "Brand Impersonation: Microsoft Teams Invitation"
 2description: "Detects messages impersonating a Microsoft Teams invites by matching known invite text patterns while containing join links that do not resolve to Microsoft domains. Additional verification includes checking for absent phone dial-in options and missing standard Teams help text or HTML meeting components."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and strings.icontains(body.current_thread.text, 'Microsoft Teams')
 8  and strings.icontains(body.current_thread.text, 'join the meeting now')
 9  and strings.contains(body.current_thread.text, 'Meeting ID:')
10  and strings.contains(body.current_thread.text, 'Passcode:')
11  
12  // not a reply
13  and length(headers.references) == 0
14  and headers.in_reply_to is null
15  // few links
16  and length(body.links) < 10
17
18  // no unsubscribe links
19  // common in newsletters which link to a webinar style event
20  and not any(body.links, strings.icontains(.display_text, "unsub"))
21
22  // one of the links contains "join the meeting now"
23  and any(body.links, .display_text =~ "join the meeting now")
24  
25  // the "join the meeting now" link does not go to microsoft
26  and all(filter(body.links, .display_text =~ "join the meeting now"),
27          .href_url.domain.root_domain not in ("microsoft.com", "microsoft.us")
28          // rewriters often abstract the link
29          and .href_url.domain.root_domain not in $bulk_mailer_url_root_domains
30  )
31  
32  // missing the dial by phone element
33  and not strings.icontains(body.current_thread.text, 'Dial in by phone')
34  
35  // any of these suspicious elements from the body
36  and (
37    // malicious samples leveraged recipient domain branding here
38    not strings.icontains(body.current_thread.text, 'Microsoft Teams Need help?')
39    // malicious samples contained unique html elements not present in legit ones
40    or strings.icontains(body.html.raw, '<div class="meeting-title">')
41    or strings.icontains(body.html.raw, '<div class="meeting-time">')
42    or strings.icontains(body.html.raw, '<div class="meeting-location">')
43    or strings.icontains(body.html.raw, '<span class="conflict-badge">')
44    or strings.icontains(body.html.raw, 'class="join-button"')
45  )
46
47  // negate highly trusted sender domains unless they fail DMARC authentication
48  and (
49    (
50      sender.email.domain.root_domain in $high_trust_sender_root_domains
51      and not headers.auth_summary.dmarc.pass
52    )
53    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
54  )  
55attack_types:
56  - "Credential Phishing"
57tactics_and_techniques:
58  - "Impersonation: Brand"
59  - "Social engineering"
60detection_methods:
61  - "Content analysis"
62  - "Header analysis"
63  - "HTML analysis"
64  - "URL analysis"
65id: "46410ad8-3465-505f-a78e-f77704910a91"
to-top