BEC/Fraud: Student loan callback phishing

calendar May 1, 2026  ·
Share on: linkedin copy

This rule detects phishing emails that attempt to engage the recipient by soliciting a callback under the guise of student loan forgiveness or assistance. The messages often come from free email providers, lack a proper HTML structure, and include suspicious indicators such as phone numbers embedded in the text. These emails typically contain language urging the recipient to respond or take immediate action, leveraging urgency around student loan repayment to entice engagement.

Sublime rule (View on GitHub)

 1name: "BEC/Fraud: Student loan callback phishing"
 2description: "This rule detects phishing emails that attempt to engage the recipient by soliciting a callback under the guise of student loan forgiveness or assistance. The messages often come from free email providers, lack a proper HTML structure, and include suspicious indicators such as phone numbers embedded in the text. These emails typically contain language urging the recipient to respond or take immediate action, leveraging urgency around student loan repayment to entice engagement."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // there is no HTML body
 8  and body.html.raw is null
 9  
10  // but the current thread contains what's most likely an html tag
11  // (eg. <>'s' followed by a closing </> )
12  and regex.contains(body.current_thread.text, '<[^>]+>.*?</[^>]+>')
13  
14  // and the body mentions student loans
15  and strings.icontains(body.current_thread.text, "Student Loan")
16  
17  // sourced from a free mail provider
18  and sender.email.domain.root_domain in $free_email_providers
19  
20  // contains a phone number
21  and (
22    regex.contains(strings.replace_confusables(body.current_thread.text),
23                   '\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}'
24    )
25    or regex.contains(strings.replace_confusables(body.current_thread.text),
26                      '\+\d{1,3}[ilo0-9]{10}'
27    )
28    // +12028001238
29    or regex.contains(strings.replace_confusables(body.current_thread.text),
30                      '[ilo0-9]{3}\.[ilo0-9]{3}\.[ilo0-9]{4}'
31    )
32    // 202.800.1238
33    or regex.contains(strings.replace_confusables(body.current_thread.text),
34                      '[ilo0-9]{3}-[ilo0-9]{3}-[ilo0-9]{4}'
35    )
36    // 202-800-1238
37    or regex.contains(strings.replace_confusables(body.current_thread.text),
38                      '\([ilo0-9]{3}\)\s[ilo0-9]{3}-[ilo0-9]{4}'
39    )
40    // (202) 800-1238
41    or regex.contains(strings.replace_confusables(body.current_thread.text),
42                      '\([ilo0-9]{3}\)[\s-]+[ilo0-9]{3}[\s-]+[ilo0-9]{4}'
43    )
44    // (202)-800-1238
45    or regex.contains(strings.replace_confusables(body.current_thread.text),
46                      '1 [ilo0-9]{3} [ilo0-9]{3} [ilo0-9]{4}'
47    ) // 8123456789
48    or regex.contains(strings.replace_confusables(body.current_thread.text),
49                      '8\d{9}'
50    )
51  )
52  
53  // contains a request
54  and any(ml.nlu_classifier(body.current_thread.text).entities,
55          .name == "request"
56  )  
57attack_types:
58  - "BEC/Fraud"
59tactics_and_techniques:
60  - "Free email provider"
61  - "Out of band pivot"
62  - "Social engineering"
63detection_methods:
64  - "Content analysis"
65  - "Natural Language Understanding"
66  - "Sender analysis"
67id: "a71f82c3-36fe-54ca-ac72-ac65997525f5"
to-top