Callback Phishing via Calendar Invite

 1name: "Callback Phishing via Calendar Invite"
 2description: "Detects calendar invites containing callback phishing language in the DESCRIPTION of the invite."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(attachments) > 0
 8  and all(attachments, .content_type in ("text/calendar", "application/ics"))
 9  and any(attachments,
10          // extract the calendar invite description and use NLU against it
11          any(regex.extract(file.parse_text(.).text,
12                            'DESCRIPTION:((?:(?:\r?\n[ \t][^\r\n]*)|[^\r\n])*?)(?:\r?\n[A-Z-][A-Z0-9-]*[;:])'
13              ),
14              any(.groups,
15                  any(ml.nlu_classifier(.).intents, .name == "callback_scam")
16              )
17          )
18  )
19  and (
20    not profile.by_sender().solicited
21    and not profile.by_sender().any_messages_benign
22  )
23  
24  // negate highly trusted sender domains unless they fail DMARC authentication
25  and (
26    (
27      sender.email.domain.root_domain in $high_trust_sender_root_domains
28      and not headers.auth_summary.dmarc.pass
29    )
30    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
31  )  
32
33attack_types:
34  - "Callback Phishing"
35tactics_and_techniques:
36  - "Social engineering"
37  - "Evasion"
38detection_methods:
39  - "File analysis"
40  - "Header analysis"
41  - "Natural Language Understanding"
42  - "Sender analysis"
43id: "95c84360-d5a5-5396-b9ce-c61016cb178f"