← Back to Explore
sublimehighRule
Brand impersonation: Microsoft Teams
Impersonation of a Microsoft Teams message.
Detection Query
type.inbound
and length(filter(attachments,
.file_type in $file_types_images or .file_type == "pdf"
)
) < 10
and any(attachments,
(.file_type in $file_types_images or .file_type == "pdf")
and any(file.explode(.),
regex.icontains(.scan.ocr.raw,
"trying to reach you.*microsoft teams"
)
)
)
and sender.email.domain.root_domain not in (
"microsoft.com",
"microsoftsupport.com",
"office.com"
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand impersonation: Microsoft Teams"
description: |
Impersonation of a Microsoft Teams message.
type: "rule"
severity: "high"
source: |
type.inbound
and length(filter(attachments,
.file_type in $file_types_images or .file_type == "pdf"
)
) < 10
and any(attachments,
(.file_type in $file_types_images or .file_type == "pdf")
and any(file.explode(.),
regex.icontains(.scan.ocr.raw,
"trying to reach you.*microsoft teams"
)
)
)
and sender.email.domain.root_domain not in (
"microsoft.com",
"microsoftsupport.com",
"office.com"
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Content analysis"
- "File analysis"
- "Optical Character Recognition"
- "Sender analysis"
id: "9cd53055-8e1a-5a45-b78f-34a62f0793dd"