This rule detects potential phishing attempts that impersonate Microsoft Teams invitations. It does so by analyzing inbound messages for specific text patterns associated with Microsoft Teams invites, such as 'join the meeting now', 'Meeting ID:', and 'Passcode:'. The rule further ensures that messages meet certain criteria: they are not replies, contain fewer than ten links, and lack any unsubscribe links commonly found in legitimate newsletters. A significant check involves verifying that the 'join the meeting now' link does not resolve to any Microsoft-related domains, which implies external handling of the link that could indicate malicious intent. Moreover, the absence of phone dial-in options strengthens the suspicion, as legitimate Teams invites typically include this. The rule also captures abnormal HTML elements not typical of genuine invitations, providing additional layers of verification. Lastly, the rule accounts for the sender's domain trustworthiness, where messages from high trust domains that fail DMARC authentication are flagged, enhancing its effectiveness against sophisticated phishing tactics.