Callback phishing via Google Meet

calendar Dec 3, 2025  ·
Share on: linkedin copy

Detects Google Meet invitations that include callback phishing content in the body, impersonating brands like McAfee, Norton, PayPal, or Best Buy with purchase-related language and phone numbers to solicit victim contact.

Sublime rule (View on GitHub)

 1name: "Callback phishing via Google Meet"
 2description: "Detects Google Meet invitations that include callback phishing content in the body, impersonating brands like McAfee, Norton, PayPal, or Best Buy with purchase-related language and phone numbers to solicit victim contact."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(attachments) == 2
 8  and all(attachments, .content_type == "text/calendar" or .file_extension == "ics")
 9  and strings.starts_with(subject.base, "Invitation:")
10  // Google Meet indicators
11  and (
12    any(body.links,
13        .display_text == "Join with Google Meet"
14        and .href_url.domain.domain == "meet.google.com"
15    )
16  )
17  and (
18    (
19      regex.icontains(body.current_thread.text,
20                          (
21                            "mcafee|norton|geek.{0,5}squad|paypal|ebay|symantec|best buy|lifelock"
22                          )
23      )
24      and 3 of (
25        strings.ilike(body.current_thread.text, '*purchase*'),
26        strings.ilike(body.current_thread.text, '*payment*'),
27        strings.ilike(body.current_thread.text, '*transaction*'),
28        strings.ilike(body.current_thread.text, '*subscription*'),
29        strings.ilike(body.current_thread.text, '*antivirus*'),
30        strings.ilike(body.current_thread.text, '*order*'),
31        strings.ilike(body.current_thread.text, '*support*'),
32        strings.ilike(body.current_thread.text, '*help line*'),
33        strings.ilike(body.current_thread.text, '*receipt*'),
34        strings.ilike(body.current_thread.text, '*invoice*'),
35        strings.ilike(body.current_thread.text, '*call*'),
36        strings.ilike(body.current_thread.text, '*cancel*'),
37        strings.ilike(body.current_thread.text, '*renew*'),
38        strings.ilike(body.current_thread.text, '*refund*')
39      )
40      // toll-free phone number regex
41      and any([body.current_thread.text, subject.subject],
42              regex.icontains(., '\b\+?(\d{1}.)?\(?8\d{2}?\)?.\d{3}.?\d{4}\b')
43      )
44    )
45  )  
46
47attack_types:
48  - "Callback Phishing"
49tactics_and_techniques:
50  - "Out of band pivot"
51detection_methods:
52  - "Content analysis"
53id: "70e01845-b815-5be5-87ac-11ae7477367e"
to-top