Service abuse: Oracle Cloud Workflow callback scam
Detects inbound messages sent through Oracle Cloud's workflow mail service (workflow.mail.us2.cloud.oracle.com) that contain callback scam content within styled HTML table cells. Natural language understanding is used to identify callback scam intent with medium or high confidence within the message body, indicating misuse of legitimate Oracle infrastructure to deliver fraudulent content.
Sublime rule (View on GitHub)
1name: "Service abuse: Oracle Cloud Workflow callback scam"
2description: "Detects inbound messages sent through Oracle Cloud's workflow mail service (workflow.mail.us2.cloud.oracle.com) that contain callback scam content within styled HTML table cells. Natural language understanding is used to identify callback scam intent with medium or high confidence within the message body, indicating misuse of legitimate Oracle infrastructure to deliver fraudulent content."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and sender.email.domain.domain == "workflow.mail.us2.cloud.oracle.com"
8 and any(html.xpath(body.html,
9 "//td[contains(@style, 'padding: 20px 40px')]//font[@style='']"
10 ).nodes,
11 any(ml.nlu_classifier(.inner_text).intents,
12 .name == "callback_scam" and .confidence != "low"
13 )
14 )
15attack_types:
16 - "Callback Phishing"
17tactics_and_techniques:
18 - "Social engineering"
19 - "Impersonation: Brand"
20detection_methods:
21 - "Sender analysis"
22 - "HTML analysis"
23 - "Natural Language Understanding"
24id: "873f523d-20a9-534d-b05c-69d740b6e155"