Service abuse: Google Calendar notification with callback scam language

calendar Mar 16, 2026  ·
Share on: linkedin copy

Detects messages sent from Google's legitimate calendar notification service that contain callback scam language, indicating potential abuse of the calendar sharing feature to distribute fraudulent content.

Sublime rule (View on GitHub)

 1name: "Service abuse: Google Calendar notification with callback scam language"
 2description: "Detects messages sent from Google's legitimate calendar notification service that contain callback scam language, indicating potential abuse of the calendar sharing feature to distribute fraudulent content."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.email == 'calendar-notification@google.com'
 8  and any(ml.nlu_classifier(body.current_thread.text).intents,
 9          .name == "callback_scam" and .confidence != "low"
10  )  
11
12attack_types:
13  - "Callback Phishing"
14tactics_and_techniques:
15  - "Out of band pivot"
16  - "Social engineering"
17detection_methods:
18  - "Natural Language Understanding"
19  - "Content analysis"
20  - "Sender analysis"
21id: "58954546-37bf-5702-8c1d-f7ab615318d1"
to-top