EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Callback phishing via Microsoft comment

Detects callback scam messages originating from legitimate Microsoft infrastructure but containing fraudulent content designed to trick recipients into calling scammer phone numbers. The message includes typical callback phishing language around purchases, payments, subscriptions, or support services along with embedded phone numbers, while passing Microsoft's authentication checks.

MITRE ATT&CK

T1566.003T1598T1566.002T1598.003T1566
initial-access

Detection Query

type.inbound
and length(attachments) == 0

// Legitimate MicrosoftOnline sending infrastructure
// or invites@microsoft.com abuse
and (
  (
    sender.email.domain.root_domain in ('microsoftonline.com')
    or sender.email.email == "invites@microsoft.com"
  )

  // Callback Phishing
  and (
    any(ml.nlu_classifier(body.current_thread.text).intents,
        .name in ("callback_scam")
        and .confidence in ("medium", "high")
        and length(body.current_thread.text) < 1750
    )
    or 3 of (
      strings.ilike(body.current_thread.text, '*purchase*'),
      strings.ilike(body.current_thread.text, '*payment*'),
      strings.ilike(body.current_thread.text, '*transaction*'),
      strings.ilike(body.current_thread.text, '*subscription*'),
      strings.ilike(body.current_thread.text, '*antivirus*'),
      strings.ilike(body.current_thread.text, '*order*'),
      strings.ilike(body.current_thread.text, '*support*'),
      strings.ilike(body.current_thread.text, '*help line*'),
      strings.ilike(body.current_thread.text, '*receipt*'),
      strings.ilike(body.current_thread.text, '*invoice*'),
      strings.ilike(body.current_thread.text, '*call*'),
      strings.ilike(body.current_thread.text, '*cancel*'),
      strings.ilike(body.current_thread.text, '*renew*'),
      strings.ilike(body.current_thread.text, '*refund*')
    )
  )
  // phone number regex
  and any([body.current_thread.text, subject.subject],
          regex.icontains(.,
                          '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
                          '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
          )
  )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Callback phishing via Microsoft comment"
description: "Detects callback scam messages originating from legitimate Microsoft infrastructure but containing fraudulent content designed to trick recipients into calling scammer phone numbers. The message includes typical callback phishing language around purchases, payments, subscriptions, or support services along with embedded phone numbers, while passing Microsoft's authentication checks."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and length(attachments) == 0
  
  // Legitimate MicrosoftOnline sending infrastructure
  // or invites@microsoft.com abuse
  and (
    (
      sender.email.domain.root_domain in ('microsoftonline.com')
      or sender.email.email == "invites@microsoft.com"
    )
  
    // Callback Phishing
    and (
      any(ml.nlu_classifier(body.current_thread.text).intents,
          .name in ("callback_scam")
          and .confidence in ("medium", "high")
          and length(body.current_thread.text) < 1750
      )
      or 3 of (
        strings.ilike(body.current_thread.text, '*purchase*'),
        strings.ilike(body.current_thread.text, '*payment*'),
        strings.ilike(body.current_thread.text, '*transaction*'),
        strings.ilike(body.current_thread.text, '*subscription*'),
        strings.ilike(body.current_thread.text, '*antivirus*'),
        strings.ilike(body.current_thread.text, '*order*'),
        strings.ilike(body.current_thread.text, '*support*'),
        strings.ilike(body.current_thread.text, '*help line*'),
        strings.ilike(body.current_thread.text, '*receipt*'),
        strings.ilike(body.current_thread.text, '*invoice*'),
        strings.ilike(body.current_thread.text, '*call*'),
        strings.ilike(body.current_thread.text, '*cancel*'),
        strings.ilike(body.current_thread.text, '*renew*'),
        strings.ilike(body.current_thread.text, '*refund*')
      )
    )
    // phone number regex
    and any([body.current_thread.text, subject.subject],
            regex.icontains(.,
                            '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
                            '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
            )
    )
  )

attack_types:
  - "Callback Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Out of band pivot"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "Natural Language Understanding"
  - "Sender analysis"
id: "8346c7b9-1b46-50e7-b04e-b32969db8737"