Google Classroom Spoofing With WhatsApp Contact Information
Detects messages impersonating Google Classroom notifications that contain WhatsApp contact information, likely attempting to redirect victims to out-of-band communication channels for social engineering attacks.
Sublime rule (View on GitHub)
1name: "Google Classroom Spoofing With WhatsApp Contact Information"
2description: "Detects messages impersonating Google Classroom notifications that contain WhatsApp contact information, likely attempting to redirect victims to out-of-band communication channels for social engineering attacks."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and sender.email.email == "no-reply@classroom.google.com"
8 and (
9 // check for a WhatsApp invitation in the currend_thread
10 (
11 regex.icontains(body.current_thread.text, '\bWhatsapp:?.[:0-9+ ]{7,20}\b')
12 or (
13 strings.icontains(body.current_thread.text, "WhatsApp")
14 and strings.icontains(body.current_thread.text, "invited")
15 )
16 )
17 // check for WhatsApp invitation within the OCR of an attachment.
18 or (
19 any(file.explode(file.message_screenshot()),
20 regex.icontains(.scan.ocr.raw,
21 // International format with OCR-friendly character classes
22 '\+?[ilo0-9]{1,3}[\s\.\-⋅]?\(?[ilo0-9]{3}\)?[\s\.\-⋅]{0,3}[ilo0-9]{3}[\s\.\-⋅]{0,3}[ilo0-9]{3,4}',
23 // US format
24 '\(?[ilo0-9]{3}\)?[\s\.\-⋅]{0,3}[ilo0-9]{3}[\s\.\-⋅]{0,3}[ilo0-9]{4}',
25 )
26 // and mentions of WhatsApp in the screenshot
27 and (
28 regex.icontains(.scan.ocr.raw, '[Ww]hats[Aa]pp|[Ww]hatsapp')
29 or regex.icontains(.scan.ocr.raw, // WhatsApp-specific format
30 '[Ww]hats[Aa]pp:?[\s]*[+]?[ilo0-9\s\.\-⋅\(\)]{10,18}'
31 )
32 )
33 )
34 )
35 )
36
37attack_types:
38 - "Callback Phishing"
39 - "BEC/Fraud"
40tactics_and_techniques:
41 - "Impersonation: Brand"
42 - "Out of band pivot"
43 - "Social engineering"
44detection_methods:
45 - "Content analysis"
46 - "Header analysis"
47 - "Sender analysis"
48id: "e9c39e92-4817-535a-91f9-13ad68885ff9"