Service abuse: Google Groups callback scam

calendar Jun 4, 2026  ·
Share on: linkedin copy

Detects inbound messages originating from Google Groups that contain high-confidence callback scam content, identifying abuse of the legitimate service to distribute fraudulent callback requests.

Sublime rule (View on GitHub)

 1name: "Service abuse: Google Groups callback scam"
 2description: "Detects inbound messages originating from Google Groups that contain high-confidence callback scam content, identifying abuse of the legitimate service to distribute fraudulent callback requests."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.domain.domain == "groups.google.com"
 8  and any(ml.nlu_classifier(body.current_thread.text).intents,
 9          .name == "callback_scam" and .confidence == "high"
10  )  
11attack_types:
12  - "Callback Phishing"
13tactics_and_techniques:
14  - "Free email provider"
15  - "Social engineering"
16detection_methods:
17  - "Natural Language Understanding"
18  - "Sender analysis"
19id: "e74a05b8-6e63-5921-bd42-6abe2c7a3e0e"
to-top