Medium Severity

BEC/Fraud - Student loan callback phishing

Labels

BEC/Fraud

Free email provider

Out of band pivot

Social engineering

Content analysis

Natural Language Understanding

Sender analysis

Description

This rule detects phishing emails that attempt to engage the recipient by soliciting a callback under the guise of student loan forgiveness or assistance. The messages often come from free email providers, lack a proper HTML structure, and include suspicious indicators such as phone numbers embedded in the text. These emails typically contain language urging the recipient to respond or take immediate action, leveraging urgency around student loan repayment to entice engagement.

References

No references.

Sublime Security

Created Oct 4th, 2024 • Last updated Oct 4th, 2024

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
// there is no HTML body
and body.html.raw is null

// but the current thread contains what's most likely an html tag 
// (eg. <>'s' followed by a closing </> )
and regex.contains(body.current_thread.text, '<[^>]+>.*?</[^>]+>')

// and the body mentions student loans
and strings.icontains(body.current_thread.text, "Student Loan")

// sourced from a free mail provider
and sender.email.domain.root_domain in $free_email_providers

// contains a phone number
and (
  regex.contains(strings.replace_confusables(body.current_thread.text),
                 '\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}'
  )
  or regex.contains(strings.replace_confusables(body.current_thread.text),
                    '\+\d{1,3}[0-9]{10}'
  )
  or // +12028001238
 regex.contains(strings.replace_confusables(body.current_thread.text),
                '[0-9]{3}\.[0-9]{3}\.[0-9]{4}'
  )
  or // 202.800.1238
 regex.contains(strings.replace_confusables(body.current_thread.text),
                '[0-9]{3}-[0-9]{3}-[0-9]{4}'
  )
  or // 202-800-1238
 regex.contains(strings.replace_confusables(body.current_thread.text),
                '\([0-9]{3}\)\s[0-9]{3}-[0-9]{4}'
  )
  or // (202) 800-1238
 regex.contains(strings.replace_confusables(body.current_thread.text),
                '\([0-9]{3}\)-[0-9]{3}-[0-9]{4}'
  )
  or // (202)-800-1238
 regex.contains(strings.replace_confusables(body.current_thread.text),
                '1 [0-9]{3} [0-9]{3} [0-9]{4}'
  ) // 8123456789
  or regex.contains(strings.replace_confusables(body.current_thread.text),
                    '8\d{9}'
  )
)

// contains a request
and any(ml.nlu_classifier(body.current_thread.text).entities,
        .name == "request"
)

// sender is unsolicited
and not profile.by_sender().solicited

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.