Callback phishing via Google Group abuse

A fraudulent invoice/receipt found in the body of the message, delivered via a Google Group mailing list.

Sublime rule (View on GitHub)

 1name: "Callback phishing via Google Group abuse"
 2description: "A fraudulent invoice/receipt found in the body of the message, delivered via a Google Group mailing list."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and length(attachments) < 5
 8  and sender.email.domain.domain == "googlegroups.com"
 9  and (
10    any(attachments,
11        (.file_type in $file_types_images or .file_type == "pdf")
12        and (
13          any(file.explode(.),
14              // exclude images taken with mobile cameras and screenshots from android
15              not any(.scan.exiftool.fields,
16                      (
17                        .key == "Model"
18                        or (
19                          .key == "Software"
20                          and strings.starts_with(.value, "Android")
21                        )
22                      )
23                      // exclude images taken with mobile cameras and screenshots from Apple
24                      and (
25                        .key == "DeviceManufacturer"
26                        and .value == "Apple Computer Inc."
27                      )
28              )
29              and any(ml.nlu_classifier(.scan.ocr.raw).intents,
30                      .name == "callback_scam" and .confidence == "high"
31              )
32          )
33        )
34    )
35    or any(ml.nlu_classifier(body.current_thread.text).intents,
36           .name in ("callback_scam") and .confidence == "high"
37    )
38  )
39  and (
40    not profile.by_sender().solicited
41    and not profile.by_sender().any_false_positives
42  )
43  
44  // negate highly trusted sender domains unless they fail DMARC authentication
45  and (
46    (
47      sender.email.domain.root_domain in $high_trust_sender_root_domains
48      and (
49        any(distinct(headers.hops, .authentication_results.dmarc is not null),
50            strings.ilike(.authentication_results.dmarc, "*fail")
51        )
52      )
53    )
54    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
55  )  
56
57attack_types:
58  - "Callback Phishing"
59tactics_and_techniques:
60  - "Free email provider"
61  - "Impersonation: Brand"
62  - "Social engineering"
63detection_methods:
64  - "File analysis"
65  - "Natural Language Understanding"
66  - "Optical Character Recognition"
67  - "Sender analysis"
68id: "199d873b-9703-50df-a8d5-f4dc4322222b"
to-top