Service abuse: WeTransfer callback scam

calendar Jan 30, 2026  ·
Share on: linkedin copy

Detects callback scams originating from legitimate WeTransfer noreply address using natural language processing to identify high-confidence callback scam intent in the message body.

Sublime rule (View on GitHub)

 1name: "Service abuse: WeTransfer callback scam"
 2description: "Detects callback scams originating from legitimate WeTransfer noreply address using natural language processing to identify high-confidence callback scam intent in the message body."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.email == 'noreply@wetransfer.com'
 8  and any(ml.nlu_classifier(body.current_thread.text).intents,
 9          .name == "callback_scam"
10  )  
11attack_types:
12  - "Callback Phishing"
13tactics_and_techniques:
14  - "Social engineering"
15  - "Out of band pivot"
16detection_methods:
17  - "Content analysis"
18  - "Natural Language Understanding"
19  - "Sender analysis"
20id: "c60c8650-e76e-501b-acf8-1feeb0e45bf2"
to-top