Callback scam: Impersonation via TimeTrade infrastructure

Detects callback scam messages that abuse legitimate TimeTrade sending infrastructure to impersonate well-known brands like McAfee, Norton, Geek Squad, PayPal, eBay, Symantec, Best Buy, or LifeLock. The message contains purchase, payment, or subscription-related terms along with a phone number, soliciting victims to call for fraudulent support.

Sublime rule (View on GitHub)

 1name: "Callback scam: Impersonation via TimeTrade infrastructure"
 2description: "Detects callback scam messages that abuse legitimate TimeTrade sending infrastructure to impersonate well-known brands like McAfee, Norton, Geek Squad, PayPal, eBay, Symantec, Best Buy, or LifeLock. The message contains purchase, payment, or subscription-related terms along with a phone number, soliciting victims to call for fraudulent support."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  
 8  // Legitimate TimeTrade sending infratructure
 9  and sender.email.domain.root_domain == 'timetrade.com'
10  
11  // Callback Phishing
12  and regex.icontains(body.current_thread.text,
13                      (
14                        "mcafee|n[o0]rt[o0]n|geek.{0,5}squad|paypal|ebay|symantec|best buy|lifel[o0]ck"
15                      )
16  )
17  and 3 of (
18    strings.ilike(body.current_thread.text, '*purchase*'),
19    strings.ilike(body.current_thread.text, '*payment*'),
20    strings.ilike(body.current_thread.text, '*transaction*'),
21    strings.ilike(body.current_thread.text, '*subscription*'),
22    strings.ilike(body.current_thread.text, '*antivirus*'),
23    strings.ilike(body.current_thread.text, '*order*'),
24    strings.ilike(body.current_thread.text, '*support*'),
25    strings.ilike(body.current_thread.text, '*help line*'),
26    strings.ilike(body.current_thread.text, '*receipt*'),
27    strings.ilike(body.current_thread.text, '*invoice*'),
28    strings.ilike(body.current_thread.text, '*call*'),
29    strings.ilike(body.current_thread.text, '*cancel*'),
30    strings.ilike(body.current_thread.text, '*renew*'),
31    strings.ilike(body.current_thread.text, '*refund*')
32  )
33  // phone number regex
34  and any([body.current_thread.text, subject.subject],
35          regex.icontains(.,
36                          '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
37                          '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
38          )
39  )
40    
41
42attack_types:
43  - "Callback Phishing"
44tactics_and_techniques:
45  - "Impersonation: Brand"
46  - "Out of band pivot"
47  - "Social engineering"
48detection_methods:
49  - "Content analysis"
50  - "Sender analysis"
51  - "Header analysis"
52id: "0c0b3664-fbad-5d29-82f4-40c702549857"
to-top