← Back to Explore
sublimemediumRule
Callback phishing via calendar invite
Detects calendar invites containing callback phishing language in the DESCRIPTION of the invite.
Detection Query
type.inbound
and length(attachments) > 0
and all(attachments, .content_type in ("text/calendar", "application/ics"))
and any(attachments,
// extract the calendar invite description and use NLU against it
any(file.explode(.),
any(.scan.ics.calendars,
any(.components,
(
any(ml.nlu_classifier(.description).intents,
.name == "callback_scam"
)
or any(ml.nlu_classifier(strings.parse_html(.description).display_text
).intents,
.name == "callback_scam"
)
or (
any(ml.nlu_classifier(.description).topics,
.name == "Request to View Invoice"
and .confidence == "high"
)
// emoji regex
and regex.contains(.description,
'[\x{1F600}-\x{1F64F}\x{1F300}-\x{1F5FF}\x{1F680}-\x{1F6FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{FE00}-\x{FE0F}\x{200D}\x{20E3}\x{E0020}-\x{E007F}]'
)
)
)
)
)
)
)
and (
not profile.by_sender_email().solicited
and not profile.by_sender_email().any_messages_benign
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not coalesce(headers.auth_summary.dmarc.pass, false)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Callback phishing via calendar invite"
description: "Detects calendar invites containing callback phishing language in the DESCRIPTION of the invite."
type: "rule"
severity: "medium"
source: |
type.inbound
and length(attachments) > 0
and all(attachments, .content_type in ("text/calendar", "application/ics"))
and any(attachments,
// extract the calendar invite description and use NLU against it
any(file.explode(.),
any(.scan.ics.calendars,
any(.components,
(
any(ml.nlu_classifier(.description).intents,
.name == "callback_scam"
)
or any(ml.nlu_classifier(strings.parse_html(.description).display_text
).intents,
.name == "callback_scam"
)
or (
any(ml.nlu_classifier(.description).topics,
.name == "Request to View Invoice"
and .confidence == "high"
)
// emoji regex
and regex.contains(.description,
'[\x{1F600}-\x{1F64F}\x{1F300}-\x{1F5FF}\x{1F680}-\x{1F6FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{FE00}-\x{FE0F}\x{200D}\x{20E3}\x{E0020}-\x{E007F}]'
)
)
)
)
)
)
)
and (
not profile.by_sender_email().solicited
and not profile.by_sender_email().any_messages_benign
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not coalesce(headers.auth_summary.dmarc.pass, false)
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
attack_types:
- "Callback Phishing"
tactics_and_techniques:
- "Social engineering"
- "Evasion"
- "ICS Phishing"
detection_methods:
- "File analysis"
- "Header analysis"
- "Natural Language Understanding"
- "Sender analysis"
id: "95c84360-d5a5-5396-b9ce-c61016cb178f"