• Sublime Core Feed
High Severity

Brand Impersonation: Microsoft Teams Invitation

Labels

Credential Phishing
Impersonation: Brand
Social engineering
Content analysis
Header analysis
HTML analysis
URL analysis

Description

Detects messages impersonating a Microsoft Teams invites by matching known invite text patterns while containing join links that do not resolve to Microsoft domains. Additional verification includes checking for absent phone dial-in options and missing standard Teams help text or HTML meeting components.

References

No references.

Sublime Security
Created May 5th, 2025 • Last updated May 5th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and strings.icontains(body.current_thread.text, 'Microsoft Teams')
and strings.icontains(body.current_thread.text, 'join the meeting now')
and strings.contains(body.current_thread.text, 'Meeting ID:')
and strings.contains(body.current_thread.text, 'Passcode:')

// not a reply
and length(headers.references) == 0
and headers.in_reply_to is null
// few links
and length(body.links) < 10

// no unsubscribe links
// common in newsletters which link to a webinar style event
and not any(body.links, strings.icontains(.display_text, "unsub"))

// one of the links contains "join the meeting now"
and any(body.links, .display_text =~ "join the meeting now")

// the "join the meeting now" link does not go to microsoft
and all(filter(body.links, .display_text =~ "join the meeting now"),
        .href_url.domain.root_domain not in ("microsoft.com", "microsoft.us")
        // rewriters often abstract the link
        and .href_url.domain.root_domain not in $bulk_mailer_url_root_domains
)

// missing the dial by phone element
and not strings.icontains(body.current_thread.text, 'Dial in by phone')

// any of these suspicious elements from the body
and (
  // malicious samples leveraged recipient domain branding here
  not strings.icontains(body.current_thread.text, 'Microsoft Teams Need help?')
  // malicious samples contained unique html elements not present in legit ones
  or strings.icontains(body.html.raw, '<div class="meeting-title">')
  or strings.icontains(body.html.raw, '<div class="meeting-time">')
  or strings.icontains(body.html.raw, '<div class="meeting-location">')
  or strings.icontains(body.html.raw, '<span class="conflict-badge">')
  or strings.icontains(body.html.raw, 'class="join-button"')
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started