← Back to Explore
sublimemediumRule
Attachment: Credit card application with WhatsApp contact
Detects messages containing promotional credit card offers with attached forms requesting extensive personal information (PII) and directing victims to contact via WhatsApp, indicating potential fraud.
Detection Query
type.inbound
// promotional/advertising content targeting financial services
and (
(
regex.icontains(body.current_thread.text,
"credit card.*offer|promotional.*credit|free.*credit card|lifetime.*free|special offer"
)
or regex.icontains(subject.subject,
"credit card.*offer|promotional.*credit|free.*credit card|lifetime.*free"
)
)
and any(ml.nlu_classifier(body.current_thread.text).topics,
.name in ("Advertising and Promotions")
)
)
// PII harvesting template in attachments (3+ of these patterns)
and any(attachments,
any(file.explode(.),
3 of (
regex.icontains(.scan.strings.raw, "Credit Card Application"),
regex.icontains(.scan.strings.raw, "Date of Birth"),
regex.icontains(.scan.strings.raw, "[eE]mail"),
regex.icontains(.scan.strings.raw, "[aA]ddress"),
regex.icontains(.scan.strings.raw, "Contact No"),
regex.icontains(.scan.strings.raw, "Pan No"),
regex.icontains(.scan.strings.raw, "ADHAAR"),
regex.icontains(.scan.strings.raw, "Annual.*salary"),
regex.icontains(.scan.strings.raw, "Mother Name"),
regex.icontains(.scan.strings.raw, "Father Name"),
regex.icontains(.scan.strings.raw, "SINGLE.*MARRIED")
)
)
)
// WhatsApp contact method (suspicious for legitimate financial institutions)
and (
regex.icontains(body.current_thread.text, "whatsapp")
or any(attachments,
any(file.explode(.), regex.icontains(.scan.qr.url.url, "wa\\.me"))
)
or any(file.explode(file.message_screenshot()),
regex.icontains(.scan.qr.url.url, "wa\\.me")
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: Credit card application with WhatsApp contact"
description: "Detects messages containing promotional credit card offers with attached forms requesting extensive personal information (PII) and directing victims to contact via WhatsApp, indicating potential fraud."
type: "rule"
severity: "medium"
source: |
type.inbound
// promotional/advertising content targeting financial services
and (
(
regex.icontains(body.current_thread.text,
"credit card.*offer|promotional.*credit|free.*credit card|lifetime.*free|special offer"
)
or regex.icontains(subject.subject,
"credit card.*offer|promotional.*credit|free.*credit card|lifetime.*free"
)
)
and any(ml.nlu_classifier(body.current_thread.text).topics,
.name in ("Advertising and Promotions")
)
)
// PII harvesting template in attachments (3+ of these patterns)
and any(attachments,
any(file.explode(.),
3 of (
regex.icontains(.scan.strings.raw, "Credit Card Application"),
regex.icontains(.scan.strings.raw, "Date of Birth"),
regex.icontains(.scan.strings.raw, "[eE]mail"),
regex.icontains(.scan.strings.raw, "[aA]ddress"),
regex.icontains(.scan.strings.raw, "Contact No"),
regex.icontains(.scan.strings.raw, "Pan No"),
regex.icontains(.scan.strings.raw, "ADHAAR"),
regex.icontains(.scan.strings.raw, "Annual.*salary"),
regex.icontains(.scan.strings.raw, "Mother Name"),
regex.icontains(.scan.strings.raw, "Father Name"),
regex.icontains(.scan.strings.raw, "SINGLE.*MARRIED")
)
)
)
// WhatsApp contact method (suspicious for legitimate financial institutions)
and (
regex.icontains(body.current_thread.text, "whatsapp")
or any(attachments,
any(file.explode(.), regex.icontains(.scan.qr.url.url, "wa\\.me"))
)
or any(file.explode(file.message_screenshot()),
regex.icontains(.scan.qr.url.url, "wa\\.me")
)
)
attack_types:
- "BEC/Fraud"
tactics_and_techniques:
- "Social engineering"
- "Out of band pivot"
detection_methods:
- "Content analysis"
- "File analysis"
- "Natural Language Understanding"
- "QR code analysis"
id: "95b08315-93a6-5005-8f38-ff597eb9f947"