Callback phishing via calendar invite
Detects calendar invites containing callback phishing language in the DESCRIPTION of the invite.
Sublime rule (View on GitHub)
1name: "Callback phishing via calendar invite"
2description: "Detects calendar invites containing callback phishing language in the DESCRIPTION of the invite."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(attachments) > 0
8 and all(attachments, .content_type in ("text/calendar", "application/ics"))
9 and any(attachments,
10 // extract the calendar invite description and use NLU against it
11 any(file.explode(.),
12 any(.scan.ics.calendars,
13 any(.components,
14 (
15 any(ml.nlu_classifier(.description).intents,
16 .name == "callback_scam"
17 )
18 or (
19 any(ml.nlu_classifier(.description).topics,
20 .name == "Request to View Invoice"
21 and .confidence == "high"
22 )
23 // emoji regex
24 and regex.contains(.description,
25 '[\x{1F600}-\x{1F64F}\x{1F300}-\x{1F5FF}\x{1F680}-\x{1F6FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{FE00}-\x{FE0F}\x{200D}\x{20E3}\x{E0020}-\x{E007F}]'
26 )
27 )
28 )
29 )
30 )
31 )
32 )
33 and (
34 not profile.by_sender_email().solicited
35 and not profile.by_sender_email().any_messages_benign
36 )
37
38 // negate highly trusted sender domains unless they fail DMARC authentication
39 and (
40 (
41 sender.email.domain.root_domain in $high_trust_sender_root_domains
42 and not coalesce(headers.auth_summary.dmarc.pass, false)
43 )
44 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
45 )
46attack_types:
47 - "Callback Phishing"
48tactics_and_techniques:
49 - "Social engineering"
50 - "Evasion"
51 - "ICS Phishing"
52detection_methods:
53 - "File analysis"
54 - "Header analysis"
55 - "Natural Language Understanding"
56 - "Sender analysis"
57id: "95c84360-d5a5-5396-b9ce-c61016cb178f"