• Sublime Core Feed
High Severity

Brand impersonation: Microsoft Teams invitation

Labels

Credential Phishing
Impersonation: Brand
Social engineering
Content analysis
Header analysis
HTML analysis
URL analysis

Description

Detects messages impersonating a Microsoft Teams invites by matching known invite text patterns while containing join links that do not resolve to Microsoft domains. Additional verification includes checking for absent phone dial-in options and missing standard Teams help text or HTML meeting components.

References

No references.

Sublime Security
Created May 5th, 2025 • Last updated Dec 15th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and (
  (
    strings.icontains(body.current_thread.text, 'Microsoft Teams')
    and strings.icontains(body.current_thread.text, 'join the meeting now')
    and strings.contains(body.current_thread.text, 'Meeting ID:')
    and strings.contains(body.current_thread.text, 'Passcode:')
  )
  or (
    strings.icontains(body.current_thread.text, "teams")
    and 2 of (
      strings.icontains(body.current_thread.text, "internal"),
      strings.icontains(body.current_thread.text, "message"),
      strings.icontains(body.current_thread.text, "meeting")
    )
  )
)
// not a reply
and length(headers.references) == 0
and headers.in_reply_to is null
// few links
and length(body.links) < 10

// no unsubscribe links
// common in newsletters which link to a webinar style event
and not any(body.links, strings.icontains(.display_text, "unsub"))

// one of the links contains is a CTA that doesn't link to MS
and any(body.links,
        (
          .display_text =~ "join the meeting now"
          or strings.icontains(.display_text, "play recording")
        )
        and .href_url.domain.root_domain not in (
          "microsoft.com",
          "microsoft.us"
        )
        // rewriters often abstract the link
        and .href_url.domain.root_domain not in $bulk_mailer_url_root_domains
)
// missing the dial by phone element
and not strings.icontains(body.current_thread.text, 'Dial in by phone')

// any of these suspicious elements from the body
and (
  // malicious samples leveraged recipient domain branding here
  not strings.icontains(body.current_thread.text, 'Microsoft Teams Need help?')
  // malicious samples contained unique html elements not present in legit ones
  or strings.icontains(body.html.raw, '<div class="meeting-title">')
  or strings.icontains(body.html.raw, '<div class="meeting-time">')
  or strings.icontains(body.html.raw, '<div class="meeting-location">')
  or strings.icontains(body.html.raw, '<span class="conflict-badge">')
  or strings.icontains(body.html.raw, 'class="join-button"')
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started
Deploy and integrate a free Sublime instance in minutes.
Get Started