This detection rule identifies potential callback phishing attempts conducted through Microsoft Teams invitations. The rule specifically targets emails sent from the legitimate Microsoft Teams domain ("teams.mail.microsoft") that contain links with the display text "Open Microsoft Teams" leading to login.microsoftonline.com. It further scrutinizes the email body for specific keywords often associated with scams, such as terms related to payments (e.g., 'purchase', 'transaction', 'subscription') and well-known brands that might be spoofed. The rule also utilizes regex to detect possible phone numbers that could lead to further scam attempts. By analyzing these elements, the rule effectively raises alerts on high-severity phishing tactics that attempt to manipulate users into providing sensitive information or redirecting them to fraudulent sites.