Service abuse: MongoDB Atlas callback scam

calendar Apr 28, 2026  ·
Share on: linkedin copy

Detects inbound messages from MongoDB Atlas alert addresses that contain callback scam content identified through natural language analysis with medium or high confidence.

Sublime rule (View on GitHub)

 1name: "Service abuse: MongoDB Atlas callback scam"
 2description: "Detects inbound messages from MongoDB Atlas alert addresses that contain callback scam content identified through natural language analysis with medium or high confidence."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.email == "mongodb-atlas-alerts@mongodb.com"
 8  and any(ml.nlu_classifier(body.current_thread.text).intents,
 9          .name == "callback_scam" and .confidence != "low"
10  )   
11attack_types:
12  - "Callback Phishing"
13tactics_and_techniques:
14  - "Impersonation: Brand"
15  - "Social engineering"
16detection_methods:
17  - "Natural Language Understanding"
18  - "Sender analysis"
19id: "dc3c3195-7d19-5af0-b2d2-e86c6230920a"
to-top