Callback phishing via calendar invite
Detects calendar invites containing callback phishing language in the DESCRIPTION of the invite.
Sublime rule (View on GitHub)
1name: "Callback phishing via calendar invite"
2description: "Detects calendar invites containing callback phishing language in the DESCRIPTION of the invite."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(attachments) > 0
8 and all(attachments, .content_type in ("text/calendar", "application/ics"))
9 and any(attachments,
10 // extract the calendar invite description and use NLU against it
11 any(file.explode(.),
12 any(.scan.ics.calendars,
13 any(.components,
14 (
15 any(ml.nlu_classifier(.description).intents,
16 .name == "callback_scam"
17 )
18 or any(ml.nlu_classifier(strings.parse_html(.description).display_text
19 ).intents,
20 .name == "callback_scam"
21 )
22 or (
23 any(ml.nlu_classifier(.description).topics,
24 .name == "Request to View Invoice"
25 and .confidence == "high"
26 )
27 // emoji regex
28 and regex.contains(.description,
29 '[\x{1F600}-\x{1F64F}\x{1F300}-\x{1F5FF}\x{1F680}-\x{1F6FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{FE00}-\x{FE0F}\x{200D}\x{20E3}\x{E0020}-\x{E007F}]'
30 )
31 )
32 )
33 )
34 )
35 )
36 )
37 and (
38 not profile.by_sender_email().solicited
39 and not profile.by_sender_email().any_messages_benign
40 )
41
42 // negate highly trusted sender domains unless they fail DMARC authentication
43 and (
44 (
45 sender.email.domain.root_domain in $high_trust_sender_root_domains
46 and not coalesce(headers.auth_summary.dmarc.pass, false)
47 )
48 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
49 )
50attack_types:
51 - "Callback Phishing"
52tactics_and_techniques:
53 - "Social engineering"
54 - "Evasion"
55 - "ICS Phishing"
56detection_methods:
57 - "File analysis"
58 - "Header analysis"
59 - "Natural Language Understanding"
60 - "Sender analysis"
61id: "95c84360-d5a5-5396-b9ce-c61016cb178f"