Service abuse: Microsoft Power Automate callback scam impersonation

calendar Mar 5, 2026  ·
Share on: linkedin copy

Detects callback scam attempts using the legitimate Microsoft Power Automate service email address with high-confidence callback scam language in the message body.

Sublime rule (View on GitHub)

 1name: "Service abuse: Microsoft Power Automate callback scam impersonation"
 2description: "Detects callback scam attempts using the legitimate Microsoft Power Automate service email address with high-confidence callback scam language in the message body."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.email == 'flow-noreply@microsoft.com'
 8  and any(ml.nlu_classifier(body.current_thread.text).intents,
 9          .name == "callback_scam" and .confidence != "low"
10  )  
11
12attack_types:
13  - "Callback Phishing"
14tactics_and_techniques:
15  - "Out of band pivot"
16  - "Social engineering"
17detection_methods:
18  - "Content analysis"
19  - "Natural Language Understanding"
20  - "Sender analysis"
21id: "18d1c18b-ce21-5c53-b993-195ce8fdbe11"
to-top