Google Classroom Spoofing With WhatsApp Contact Information

Detects messages impersonating Google Classroom notifications that contain WhatsApp contact information, likely attempting to redirect victims to out-of-band communication channels for social engineering attacks.

Sublime rule (View on GitHub)

 1name: "Google Classroom Spoofing With WhatsApp Contact Information"
 2description: "Detects messages impersonating Google Classroom notifications that contain WhatsApp contact information, likely attempting to redirect victims to out-of-band communication channels for social engineering attacks."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.email == "no-reply@classroom.google.com"
 8  and (
 9    // check for a WhatsApp invitation in the currend_thread
10    (
11      regex.icontains(body.current_thread.text, '\bWhatsapp:?.[:0-9+ ]{7,20}\b')
12      or (
13        strings.icontains(body.current_thread.text, "WhatsApp")
14        and strings.icontains(body.current_thread.text, "invited")
15      )
16    )
17    // check for WhatsApp invitation within the OCR of an attachment. 
18    or (
19      any(file.explode(beta.message_screenshot()),
20          regex.icontains(.scan.ocr.raw,
21                          // International format with OCR-friendly character classes
22                          '\+?[ilo0-9]{1,3}[\s\.\-⋅]?\(?[ilo0-9]{3}\)?[\s\.\-⋅]{0,3}[ilo0-9]{3}[\s\.\-⋅]{0,3}[ilo0-9]{3,4}',
23                          // US format
24                          '\(?[ilo0-9]{3}\)?[\s\.\-⋅]{0,3}[ilo0-9]{3}[\s\.\-⋅]{0,3}[ilo0-9]{4}',
25          )
26          // and mentions of WhatsApp in the screenshot
27          and (
28            regex.icontains(.scan.ocr.raw, '[Ww]hats[Aa]pp|[Ww]hatsapp')
29            or regex.icontains(.scan.ocr.raw, // WhatsApp-specific format
30                               '[Ww]hats[Aa]pp:?[\s]*[+]?[ilo0-9\s\.\-⋅\(\)]{10,18}'
31            )
32          )
33      )
34    )
35  )  
36
37attack_types:
38  - "Callback Phishing"
39  - "BEC/Fraud"
40tactics_and_techniques:
41  - "Impersonation: Brand"
42  - "Out of band pivot"
43  - "Social engineering"
44detection_methods:
45  - "Content analysis"
46  - "Header analysis"
47  - "Sender analysis"
48id: "e9c39e92-4817-535a-91f9-13ad68885ff9"
to-top