Callback phishing via Google Meet

calendar Jan 12, 2026  ·
Share on: linkedin copy

Detects Google Meet invitations that include callback phishing content in the body, impersonating brands like McAfee, Norton, PayPal, or Best Buy with purchase-related language and phone numbers to solicit victim contact.

Sublime rule (View on GitHub)

 1name: "Callback phishing via Google Meet"
 2description: "Detects Google Meet invitations that include callback phishing content in the body, impersonating brands like McAfee, Norton, PayPal, or Best Buy with purchase-related language and phone numbers to solicit victim contact."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(attachments) == 2
 8  and all(attachments,
 9          .content_type == "text/calendar" or .file_extension == "ics"
10  )
11  and strings.starts_with(subject.base, "Invitation:")
12  // Google Meet indicators
13  and (
14    any(body.links,
15        .display_text == "Join with Google Meet"
16        and .href_url.domain.domain == "meet.google.com"
17    )
18  )
19  and (
20    (
21      regex.icontains(body.current_thread.text,
22                      (
23                        "mcafee|norton|geek.{0,5}squad|paypal|ebay|symantec|best buy|lifelock"
24                      )
25      )
26      and 3 of (
27        strings.ilike(body.current_thread.text, '*purchase*'),
28        strings.ilike(body.current_thread.text, '*payment*'),
29        strings.ilike(body.current_thread.text, '*transaction*'),
30        strings.ilike(body.current_thread.text, '*subscription*'),
31        strings.ilike(body.current_thread.text, '*antivirus*'),
32        strings.ilike(body.current_thread.text, '*order*'),
33        strings.ilike(body.current_thread.text, '*support*'),
34        strings.ilike(body.current_thread.text, '*help line*'),
35        strings.ilike(body.current_thread.text, '*receipt*'),
36        strings.ilike(body.current_thread.text, '*invoice*'),
37        strings.ilike(body.current_thread.text, '*call*'),
38        strings.ilike(body.current_thread.text, '*cancel*'),
39        strings.ilike(body.current_thread.text, '*renew*'),
40        strings.ilike(body.current_thread.text, '*refund*')
41      )
42      // toll-free phone number regex
43      and any([body.current_thread.text, subject.subject],
44              regex.icontains(., '\b\+?(\d{1}.)?\(?8\d{2}?\)?.\d{3}.?\d{4}\b')
45      )
46    )
47  )  
48attack_types:
49  - "Callback Phishing"
50tactics_and_techniques:
51  - "Out of band pivot"
52detection_methods:
53  - "Content analysis"
54id: "70e01845-b815-5be5-87ac-11ae7477367e"
to-top