← Back to Explore
sublimemediumRule
Service abuse: Microsoft Power Automate callback scam impersonation
Detects callback scam attempts using the legitimate Microsoft Power Automate service email address with high-confidence callback scam language in the message body.
Detection Query
type.inbound
and sender.email.email == 'flow-noreply@microsoft.com'
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "callback_scam" and .confidence != "low"
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Service abuse: Microsoft Power Automate callback scam impersonation"
description: "Detects callback scam attempts using the legitimate Microsoft Power Automate service email address with high-confidence callback scam language in the message body."
type: "rule"
severity: "medium"
source: |
type.inbound
and sender.email.email == 'flow-noreply@microsoft.com'
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "callback_scam" and .confidence != "low"
)
attack_types:
- "Callback Phishing"
tactics_and_techniques:
- "Out of band pivot"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Natural Language Understanding"
- "Sender analysis"
id: "18d1c18b-ce21-5c53-b993-195ce8fdbe11"