Attachment: Credit card application with WhatsApp contact

calendar Nov 20, 2025  ·
Share on: linkedin copy

Detects messages containing promotional credit card offers with attached forms requesting extensive personal information (PII) and directing victims to contact via WhatsApp, indicating potential fraud.

Sublime rule (View on GitHub)

 1name: "Attachment: Credit card application with WhatsApp contact"
 2description: "Detects messages containing promotional credit card offers with attached forms requesting extensive personal information (PII) and directing victims to contact via WhatsApp, indicating potential fraud."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // promotional/advertising content targeting financial services
 8  and (
 9    (
10      regex.icontains(body.current_thread.text,
11                      "credit card.*offer|promotional.*credit|free.*credit card|lifetime.*free|special offer"
12      )
13      or regex.icontains(subject.subject,
14                         "credit card.*offer|promotional.*credit|free.*credit card|lifetime.*free"
15      )
16    )
17    and any(ml.nlu_classifier(body.current_thread.text).topics,
18            .name in ("Advertising and Promotions")
19    )
20  )
21  // PII harvesting template in attachments (3+ of these patterns)
22  and any(attachments,
23          any(file.explode(.),
24              3 of (
25                regex.icontains(.scan.strings.raw, "Credit Card Application"),
26                regex.icontains(.scan.strings.raw, "Date of Birth"),
27                regex.icontains(.scan.strings.raw, "[eE]mail"),
28                regex.icontains(.scan.strings.raw, "[aA]ddress"),
29                regex.icontains(.scan.strings.raw, "Contact No"),
30                regex.icontains(.scan.strings.raw, "Pan No"),
31                regex.icontains(.scan.strings.raw, "ADHAAR"),
32                regex.icontains(.scan.strings.raw, "Annual.*salary"),
33                regex.icontains(.scan.strings.raw, "Mother Name"),
34                regex.icontains(.scan.strings.raw, "Father Name"),
35                regex.icontains(.scan.strings.raw, "SINGLE.*MARRIED")
36              )
37          )
38  )
39  // WhatsApp contact method (suspicious for legitimate financial institutions)
40  and (
41    regex.icontains(body.current_thread.text, "whatsapp")
42    or any(attachments,
43           any(file.explode(.), regex.icontains(.scan.qr.url.url, "wa\\.me"))
44    )
45    or any(file.explode(file.message_screenshot()),
46           regex.icontains(.scan.qr.url.url, "wa\\.me")
47    )
48  )  
49
50attack_types:
51  - "BEC/Fraud"
52tactics_and_techniques:
53  - "Social engineering"
54  - "Out of band pivot"
55detection_methods:
56  - "Content analysis"
57  - "File analysis"
58  - "Natural Language Understanding"
59  - "QR code analysis"
60id: "95b08315-93a6-5005-8f38-ff597eb9f947"
to-top