Service abuse: Google classroom solicitation

calendar Sep 29, 2025  ·
Share on: linkedin copy

Detects messages spoofing Google Classroom notifications that contain WhatsApp contact information, phone numbers, or sexually explicit content. The rule identifies emails from no-reply@classroom.google.com that include WhatsApp invitations, emojis in the subject line, or explicit sexual language, as well as phone numbers and WhatsApp references in message screenshots from first-time senders.

Sublime rule (View on GitHub)

 1name: "Service abuse: Google classroom solicitation"
 2description: "Detects messages spoofing Google Classroom notifications that contain WhatsApp contact information, phone numbers, or sexually explicit content. The rule identifies emails from no-reply@classroom.google.com that include WhatsApp invitations, emojis in the subject line, or explicit sexual language, as well as phone numbers and WhatsApp references in message screenshots from first-time senders."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // 
 8  //  Warning: This rule contains sexually explicit keywords
 9  // 
10  and sender.email.email == "no-reply@classroom.google.com"
11  and any(regex.iextract(body.html.display_text,
12                       '(?P<sender_email>(?P<sender_name>[a-zA-Z0-9._%+-]+)@(?P<sender_domain>[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}))'
13        ),
14        .named_groups["sender_email"] not in $sender_emails
15        and .named_groups["sender_email"] not in $recipient_emails
16    )
17  and (
18    // check for a WhatsApp invitation in the currend_thread
19    (
20      regex.icontains(body.current_thread.text, '\bWhatsapp:?.[:0-9+ ]{7,20}\b')
21      or (
22        strings.icontains(body.current_thread.text, "WhatsApp")
23        and strings.icontains(body.current_thread.text, "invited")
24      )
25      // look for an emoji in the subject
26      or (
27          regex.icontains(subject.subject,
28          '[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]')
29      )
30      // look for sexually explicit subject titles
31      or regex.icontains(subject.subject, 
32          '(?:give me|your satisfaction|sex|horny|cock|fuck|\bass\b|pussy|dick|tits|cum|girlfriend|boyfriend|naked|porn|video|webcam|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|xxx|nudes?|sexting|cheating|affair|erotic|\blust\b|desire|intimate|explicit|fetish|kinky|seduce|adult community|cam shows|local (?:girls?|women|single)|hook.?up|bed partner)')
33    )
34    // check for WhatsApp invitation within the OCR of an attachment. 
35    or (
36      any(file.explode(file.message_screenshot()),
37          regex.icontains(.scan.ocr.raw,
38                          // International format with OCR-friendly character classes
39                          '\+?[ilo0-9]{1,3}[\s\.\-⋅]?\(?[ilo0-9]{3}\)?[\s\.\-⋅]{0,3}[ilo0-9]{3}[\s\.\-⋅]{0,3}[ilo0-9]{3,4}',
40                          // US format
41                          '\(?[ilo0-9]{3}\)?[\s\.\-⋅]{0,3}[ilo0-9]{3}[\s\.\-⋅]{0,3}[ilo0-9]{4}',
42          )
43          // and mentions of WhatsApp in the screenshot
44          and (
45            regex.icontains(.scan.ocr.raw, '[Ww]hats[Aa]pp|[Ww]hatsapp')
46            or regex.icontains(.scan.ocr.raw, // WhatsApp-specific format
47                               '[Ww]hats[Aa]pp:?[\s]*[+]?[ilo0-9\s\.\-⋅\(\)]{10,18}'
48            )
49          )
50      )
51    )
52  )  
53
54attack_types:
55  - "Callback Phishing"
56  - "BEC/Fraud"
57tactics_and_techniques:
58  - "Impersonation: Brand"
59  - "Out of band pivot"
60  - "Social engineering"
61detection_methods:
62  - "Content analysis"
63  - "Header analysis"
64  - "Sender analysis"
65id: "e9c39e92-4817-535a-91f9-13ad68885ff9"
to-top