Service abuse: Microsoft Power Apps callback scam

calendar Mar 30, 2026  ·
Share on: linkedin copy

Detects callback scam messages sent through Microsoft Power Apps that impersonate well-known brands like McAfee, Norton, Geek Squad, PayPal, or other services, containing suspicious transaction-related language and phone numbers to solicit victim contact.

Sublime rule (View on GitHub)

 1name: "Service abuse: Microsoft Power Apps callback scam"
 2description: "Detects callback scam messages sent through Microsoft Power Apps that impersonate well-known brands like McAfee, Norton, Geek Squad, PayPal, or other services, containing suspicious transaction-related language and phone numbers to solicit victim contact."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.email == "powerapps-noreply@microsoft.com"
 8  and (
 9    any(ml.nlu_classifier(body.current_thread.text).intents,
10        .name == "callback_scam" and .confidence != "low"
11    )
12    or (
13      regex.icontains(body.current_thread.text,
14                      (
15                        "mcafee|n[o0]rt[o0]n|geek.{0,5}squad|paypal|ebay|symantec|best buy|lifel[o0]ck"
16                      )
17      )
18      and (
19        3 of (
20          strings.ilike(body.current_thread.text, '*purchase*'),
21          strings.ilike(body.current_thread.text, '*payment*'),
22          strings.ilike(body.current_thread.text, '*transaction*'),
23          strings.ilike(body.current_thread.text, '*subscription*'),
24          strings.ilike(body.current_thread.text, '*antivirus*'),
25          strings.ilike(body.current_thread.text, '*order*'),
26          strings.ilike(body.current_thread.text, '*support*'),
27          strings.ilike(body.current_thread.text, '*receipt*'),
28          strings.ilike(body.current_thread.text, '*invoice*'),
29          strings.ilike(body.current_thread.text, '*call*'),
30          strings.ilike(body.current_thread.text, '*cancel*'),
31          strings.ilike(body.current_thread.text, '*renew*'),
32          strings.ilike(body.current_thread.text, '*refund*'),
33          strings.ilike(body.current_thread.text, '*host key*')
34        )
35      )
36      // phone number regex
37      and any([body.current_thread.text, subject.subject],
38              regex.icontains(.,
39                              '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
40                              '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
41              )
42      )
43    )
44  )  
45
46attack_types:
47  - "Callback Phishing"
48tactics_and_techniques:
49  - "Impersonation: Brand"
50  - "Out of band pivot"
51  - "Social engineering"
52detection_methods:
53  - "Content analysis"
54  - "Natural Language Understanding"
55  - "Sender analysis"
56id: "ec6faebb-ecf3-5fd3-9bed-aa6d0ffefa2b"
to-top