Service abuse: Settime.io sender with callback scam intent

calendar Jun 24, 2026  ·
Share on: linkedin copy

Detects inbound messages from noreply@settime.io that exhibit callback scam characteristics, as identified by natural language understanding with medium or high confidence. Settime.io is a scheduling service that can be abused to send fraudulent messages prompting recipients to call a phone number controlled by threat actors.

Sublime rule (View on GitHub)

 1name: "Service abuse: Settime.io sender with callback scam intent"
 2description: "Detects inbound messages from noreply@settime.io that exhibit callback scam characteristics, as identified by natural language understanding with medium or high confidence. Settime.io is a scheduling service that can be abused to send fraudulent messages prompting recipients to call a phone number controlled by threat actors."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.email == "noreply@settime.io"
 8  and any(ml.nlu_classifier(body.current_thread.text).intents,
 9          .name == "callback_scam" and .confidence != "low"
10  )  
11attack_types:
12  - "Callback Phishing"
13tactics_and_techniques:
14  - "Social engineering"
15  - "Out of band pivot"
16detection_methods:
17  - "Sender analysis"
18  - "Natural Language Understanding"
19id: "116464d4-f054-5736-96d4-286ba2d4861f"
to-top