Service abuse: Facebook mail notification callback scam

Detects inbound messages spoofing Facebook's official notification address that contain callback scam intent identified with medium or high confidence. Attackers leverage the trusted Facebook sender identity to deceive recipients into calling a fraudulent phone number.

Sublime rule (View on GitHub)

 1name: "Service abuse: Facebook mail notification callback scam"
 2description: "Detects inbound messages spoofing Facebook's official notification address that contain callback scam intent identified with medium or high confidence. Attackers leverage the trusted Facebook sender identity to deceive recipients into calling a fraudulent phone number."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.email == "notification@facebookmail.com"
 8  // legitimate messages from this address use Facebook as the display name
 9  and sender.display_name != "Facebook"
10  and (
11    any(ml.nlu_classifier(body.current_thread.text).intents,
12        .name == "callback_scam" and .confidence != "low"
13    )
14    or (
15      regex.icontains(body.current_thread.text,
16                      (
17                        "mcafee|n[o0]rt[o0]n|geek.{0,5}squad|paypal|ebay|symantec|best buy|lifel[o0]ck"
18                      )
19      )
20      and (
21        3 of (
22          strings.ilike(body.current_thread.text, '*purchase*'),
23          strings.ilike(body.current_thread.text, '*payment*'),
24          strings.ilike(body.current_thread.text, '*transaction*'),
25          strings.ilike(body.current_thread.text, '*subscription*'),
26          strings.ilike(body.current_thread.text, '*antivirus*'),
27          strings.ilike(body.current_thread.text, '*order*'),
28          strings.ilike(body.current_thread.text, '*support*'),
29          strings.ilike(body.current_thread.text, '*receipt*'),
30          strings.ilike(body.current_thread.text, '*invoice*'),
31          strings.ilike(body.current_thread.text, '*call*'),
32          strings.ilike(body.current_thread.text, '*cancel*'),
33          strings.ilike(body.current_thread.text, '*renew*'),
34          strings.ilike(body.current_thread.text, '*refund*'),
35          strings.ilike(body.current_thread.text, '*host key*')
36        )
37      )
38      // phone number regex
39      and any([body.current_thread.text, subject.subject],
40              regex.icontains(.,
41                              '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
42                              '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
43              )
44      )
45    )
46  )  
47attack_types:
48  - "Callback Phishing"
49tactics_and_techniques:
50  - "Impersonation: Brand"
51  - "Social engineering"
52  - "Spoofing"
53detection_methods:
54  - "Sender analysis"
55  - "Natural Language Understanding"
56id: "5037b74e-d0ba-5a4e-a754-ae90f3ecc87d"
to-top