Callback phishing via calendar invite

 1name: "Callback phishing via calendar invite"
 2description: "Detects calendar invites containing callback phishing language in the DESCRIPTION of the invite."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(attachments) > 0
 8  and all(attachments, .content_type in ("text/calendar", "application/ics"))
 9  and any(attachments,
10          // extract the calendar invite description and use NLU against it
11          any(file.explode(.),
12              any(.scan.ics.calendars,
13                  any(.components,
14                      any(ml.nlu_classifier(.description).intents,
15                          .name == "callback_scam"
16                      )
17                  )
18              )
19          )
20  )
21  and (
22    not profile.by_sender().solicited
23    and not profile.by_sender().any_messages_benign
24  )
25  
26  // negate highly trusted sender domains unless they fail DMARC authentication
27  and (
28    (
29      sender.email.domain.root_domain in $high_trust_sender_root_domains
30      and not headers.auth_summary.dmarc.pass
31    )
32    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
33  )  
34attack_types:
35  - "Callback Phishing"
36tactics_and_techniques:
37  - "Social engineering"
38  - "Evasion"
39detection_methods:
40  - "File analysis"
41  - "Header analysis"
42  - "Natural Language Understanding"
43  - "Sender analysis"
44id: "95c84360-d5a5-5396-b9ce-c61016cb178f"