Service abuse: PayPal manager account creation with callback scam indicators

calendar Jun 2, 2026  ·
Share on: linkedin copy

Detects inbound messages abusing PayPal's noreply address with subjects about PayPal Manager user account creation that contain callback scam intent patterns identified through natural language analysis.

Sublime rule (View on GitHub)

 1name: "Service abuse: PayPal manager account creation with callback scam indicators"
 2description: "Detects inbound messages abusing PayPal's noreply address with subjects about PayPal Manager user account creation that contain callback scam intent patterns identified through natural language analysis."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.email == "noreply@paypal.com"
 8  and strings.icontains(subject.base,
 9                        "Creation of your PayPal Manager user account"
10  )
11  and any(ml.nlu_classifier(body.current_thread.text).intents,
12          .name in ("callback_scam", "cred_theft") and .confidence != "low"
13  )  
14attack_types:
15  - "Callback Phishing"
16  - "Credential Phishing"
17tactics_and_techniques:
18  - "Impersonation: Brand"
19  - "Social engineering"
20  - "Spoofing"
21detection_methods:
22  - "Sender analysis"
23  - "Content analysis"
24  - "Natural Language Understanding"
25id: "4f379593-37e8-5a00-a724-08eb72d90062"
to-top