Callback phishing via Google Group abuse
A fraudulent invoice/receipt found in the body of the message, delivered via a Google Group mailing list.
Sublime rule (View on GitHub)
1name: "Callback phishing via Google Group abuse"
2description: "A fraudulent invoice/receipt found in the body of the message, delivered via a Google Group mailing list."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and length(attachments) < 5
8 and sender.email.domain.domain == "googlegroups.com"
9 and (
10 any(attachments,
11 (.file_type in $file_types_images or .file_type == "pdf")
12 and (
13 any(file.explode(.),
14 // exclude images taken with mobile cameras and screenshots from android
15 not any(.scan.exiftool.fields,
16 (
17 .key == "Model"
18 or (
19 .key == "Software"
20 and strings.starts_with(.value, "Android")
21 )
22 )
23 // exclude images taken with mobile cameras and screenshots from Apple
24 and (
25 .key == "DeviceManufacturer"
26 and .value == "Apple Computer Inc."
27 )
28 )
29 and any(ml.nlu_classifier(.scan.ocr.raw).intents,
30 .name == "callback_scam" and .confidence == "high"
31 )
32 )
33 )
34 )
35 or any(ml.nlu_classifier(body.current_thread.text).intents,
36 .name in ("callback_scam") and .confidence == "high"
37 )
38 )
39 and (
40 not profile.by_sender().solicited
41 and not profile.by_sender().any_false_positives
42 )
43
44 // negate highly trusted sender domains unless they fail DMARC authentication
45 and (
46 (
47 sender.email.domain.root_domain in $high_trust_sender_root_domains
48 and not headers.auth_summary.dmarc.pass
49 )
50 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
51 )
52
53attack_types:
54 - "Callback Phishing"
55tactics_and_techniques:
56 - "Free email provider"
57 - "Impersonation: Brand"
58 - "Social engineering"
59detection_methods:
60 - "File analysis"
61 - "Natural Language Understanding"
62 - "Optical Character Recognition"
63 - "Sender analysis"
64id: "199d873b-9703-50df-a8d5-f4dc4322222b"