BEC/Fraud - Student loan callback phishing

calendar Oct 4, 2024  ·
Share on: linkedin copy

This rule detects phishing emails that attempt to engage the recipient by soliciting a callback under the guise of student loan forgiveness or assistance. The messages often come from free email providers, lack a proper HTML structure, and include suspicious indicators such as phone numbers embedded in the text. These emails typically contain language urging the recipient to respond or take immediate action, leveraging urgency around student loan repayment to entice engagement.

Sublime rule (View on GitHub)

 1name: "BEC/Fraud - Student loan callback phishing"
 2description: "This rule detects phishing emails that attempt to engage the recipient by soliciting a callback under the guise of student loan forgiveness or assistance. The messages often come from free email providers, lack a proper HTML structure, and include suspicious indicators such as phone numbers embedded in the text. These emails typically contain language urging the recipient to respond or take immediate action, leveraging urgency around student loan repayment to entice engagement."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // there is no HTML body
 8  and body.html.raw is null
 9  
10  // but the current thread contains what's most likely an html tag 
11  // (eg. <>'s' followed by a closing </> )
12  and regex.contains(body.current_thread.text, '<[^>]+>.*?</[^>]+>')
13  
14  // and the body mentions student loans
15  and strings.icontains(body.current_thread.text, "Student Loan")
16  
17  // sourced from a free mail provider
18  and sender.email.domain.root_domain in $free_email_providers
19  
20  // contains a phone number
21  and (
22    regex.contains(strings.replace_confusables(body.current_thread.text),
23                   '\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}'
24    )
25    or regex.contains(strings.replace_confusables(body.current_thread.text),
26                      '\+\d{1,3}[0-9]{10}'
27    )
28    or // +12028001238
29   regex.contains(strings.replace_confusables(body.current_thread.text),
30                  '[0-9]{3}\.[0-9]{3}\.[0-9]{4}'
31    )
32    or // 202.800.1238
33   regex.contains(strings.replace_confusables(body.current_thread.text),
34                  '[0-9]{3}-[0-9]{3}-[0-9]{4}'
35    )
36    or // 202-800-1238
37   regex.contains(strings.replace_confusables(body.current_thread.text),
38                  '\([0-9]{3}\)\s[0-9]{3}-[0-9]{4}'
39    )
40    or // (202) 800-1238
41   regex.contains(strings.replace_confusables(body.current_thread.text),
42                  '\([0-9]{3}\)-[0-9]{3}-[0-9]{4}'
43    )
44    or // (202)-800-1238
45   regex.contains(strings.replace_confusables(body.current_thread.text),
46                  '1 [0-9]{3} [0-9]{3} [0-9]{4}'
47    ) // 8123456789
48    or regex.contains(strings.replace_confusables(body.current_thread.text),
49                      '8\d{9}'
50    )
51  )
52  
53  // contains a request
54  and any(ml.nlu_classifier(body.current_thread.text).entities,
55          .name == "request"
56  )
57  
58  // sender is unsolicited
59  and not profile.by_sender().solicited
60    
61
62attack_types:
63  - "BEC/Fraud"
64tactics_and_techniques:
65  - "Free email provider"
66  - "Out of band pivot"
67  - "Social engineering"
68detection_methods:
69  - "Content analysis"
70  - "Natural Language Understanding"
71  - "Sender analysis"
72id: "a71f82c3-36fe-54ca-ac72-ac65997525f5"
to-top