← Back to Explore
sublimemediumRule
Service abuse: Google Calendar notification with callback scam language
Detects messages sent from Google's legitimate calendar notification service that contain callback scam language, indicating potential abuse of the calendar sharing feature to distribute fraudulent content.
Detection Query
type.inbound
and sender.email.email == 'calendar-notification@google.com'
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "callback_scam" and .confidence != "low"
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Service abuse: Google Calendar notification with callback scam language"
description: "Detects messages sent from Google's legitimate calendar notification service that contain callback scam language, indicating potential abuse of the calendar sharing feature to distribute fraudulent content."
type: "rule"
severity: "medium"
source: |
type.inbound
and sender.email.email == 'calendar-notification@google.com'
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "callback_scam" and .confidence != "low"
)
attack_types:
- "Callback Phishing"
tactics_and_techniques:
- "Out of band pivot"
- "Social engineering"
detection_methods:
- "Natural Language Understanding"
- "Content analysis"
- "Sender analysis"
id: "58954546-37bf-5702-8c1d-f7ab615318d1"