High Severity
Callback phishing via Google Group abuse
Description
A fraudulent invoice/receipt found in the body of the message, delivered via a Google Group mailing list.
References
No references.
Sublime Security
Created Dec 21st, 2023 • Last updated Apr 23rd, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
and length(attachments) < 5
and sender.email.domain.domain == "googlegroups.com"
and (
any(attachments,
(.file_type in $file_types_images or .file_type == "pdf")
and (
any(file.explode(.),
// exclude images taken with mobile cameras and screenshots from android
not any(.scan.exiftool.fields,
(
.key == "Model"
or (
.key == "Software"
and strings.starts_with(.value, "Android")
)
)
// exclude images taken with mobile cameras and screenshots from Apple
and (
.key == "DeviceManufacturer"
and .value == "Apple Computer Inc."
)
)
and any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "callback_scam" and .confidence == "high"
)
)
)
)
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name in ("callback_scam") and .confidence == "high"
)
)
and (
not profile.by_sender().solicited
and not profile.by_sender().any_false_positives
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Playground
Test against your own EMLs or sample data.