If you have your UCM setup so that you are routing through a set of translations for the purposes of call block, then, 900! should block that, unless you have a more specific length you can apply to the pattern, then you could do 900XX...X up to whatever length. Those are all the same length so if the 900 prefix doesn't overlap with something else, then 900XXXXXXXXXXX would work with the length given there.
It's been a while since I looked at this configuration in the UCM, but it is reasonably well documented.
As others have said, if they're spoofing numbers then you're playing with a moving target. In my experience unless someone is specifically out for you, they will stop calling for a while after it's blocked, until the next thing starts up again in the future. Car warranties, packages at the embassy, whatever. Managing a sieve via translation patterns is no fun, if the caller is spoofing a block of numbers that you'd need to try and accept legitimate contacts from.
I don't know your numbering plan either to comment on what those are, or the format. In NANP land, I've seen things show up like that rarely but when someone on the other end has misconfigured something, or is trying to get someone to hit redial and call back. Sometimes that is a scam for money, sometimes its an innocent target.
Depending on your organization, you could treat it like a phishing attempt, and let your users know not to answer calls from numbers that look like ___ unless they know the person, not to press 1 as it's not a legitimate issue, forward calls to IT if they're not sure, etc, and just endure the ringing for a bit.
