From 2e095c73e2fc1a71f6fc33b4553612cf09762755 Mon Sep 17 00:00:00 2001
From: Mark Morris <mark.m@sublimesecurity.com>
Date: Tue, 21 Apr 2026 09:52:44 -0400
Subject: [PATCH 1/2] Update impersonation_microsoft_teams.yml

---
 .../impersonation_microsoft_teams.yml         | 34 +++++++++++++------
 1 file changed, 23 insertions(+), 11 deletions(-)

diff --git a/detection-rules/impersonation_microsoft_teams.yml b/detection-rules/impersonation_microsoft_teams.yml
index 2dfaee5e5c5..974871dc745 100644
--- a/detection-rules/impersonation_microsoft_teams.yml
+++ b/detection-rules/impersonation_microsoft_teams.yml
@@ -9,19 +9,31 @@ source: |
                     .file_type in $file_types_images or .file_type == "pdf"
              )
   ) < 10
-  and any(attachments,
-          (.file_type in $file_types_images or .file_type == "pdf")
-          and any(file.explode(.),
-                  regex.icontains(.scan.ocr.raw,
-                                  "trying to reach you.*microsoft teams"
-                  )
-          )
+  and (
+    regex.icontains(body.current_thread.text,
+                    'trying to reach you.*microsoft teams',
+                    'new message in teams'
+    )
+    or any(attachments,
+           (.file_type in $file_types_images or .file_type == "pdf")
+           and any(file.explode(.),
+                   regex.icontains(.scan.ocr.raw,
+                                   "trying to reach you.*microsoft teams"
+                   )
+           )
+    )
   )
-  and sender.email.domain.root_domain not in (
-    "microsoft.com",
-    "microsoftsupport.com",
-    "office.com"
+  // not sent via legitimate Microsoft infra
+  and not strings.ends_with(headers.message_id, '@odspnotify>')
+  and not (
+    sender.email.domain.root_domain in (
+      "microsoft.com",
+      "microsoftsupport.com",
+      "office.com"
+    )
+    and coalesce(headers.auth_summary.dmarc.pass, false)
   )
+
 attack_types:
   - "Credential Phishing"
 tactics_and_techniques:

From 3f03b2f62212d70d00dc818636e1976ebe79e2d3 Mon Sep 17 00:00:00 2001
From: Mark Morris <mark.m@sublimesecurity.com>
Date: Wed, 22 Apr 2026 09:45:19 -0400
Subject: [PATCH 2/2] Update impersonation_microsoft_teams.yml

---
 detection-rules/impersonation_microsoft_teams.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/detection-rules/impersonation_microsoft_teams.yml b/detection-rules/impersonation_microsoft_teams.yml
index 974871dc745..6e61e51d22f 100644
--- a/detection-rules/impersonation_microsoft_teams.yml
+++ b/detection-rules/impersonation_microsoft_teams.yml
@@ -29,7 +29,10 @@ source: |
     sender.email.domain.root_domain in (
       "microsoft.com",
       "microsoftsupport.com",
-      "office.com"
+      "office.com",
+      "mail.microsoft",
+      "service-now.com",
+      "atlassian.net"
     )
     and coalesce(headers.auth_summary.dmarc.pass, false)
   )