EXPLORE
Sign In
← Back to Explore
sublimemediumRule

BEC/Fraud: Student loan callback phishing

This rule detects phishing emails that attempt to engage the recipient by soliciting a callback under the guise of student loan forgiveness or assistance. The messages often come from free email providers, lack a proper HTML structure, and include suspicious indicators such as phone numbers embedded in the text. These emails typically contain language urging the recipient to respond or take immediate action, leveraging urgency around student loan repayment to entice engagement.

MITRE ATT&CK

T1566.002T1534T1656T1566T1598
initial-access

Detection Query

type.inbound
// there is no HTML body
and body.html.raw is null

// but the current thread contains what's most likely an html tag 
// (eg. <>'s' followed by a closing </> )
and regex.contains(body.current_thread.text, '<[^>]+>.*?</[^>]+>')

// and the body mentions student loans
and strings.icontains(body.current_thread.text, "Student Loan")

// sourced from a free mail provider
and sender.email.domain.root_domain in $free_email_providers

// contains a phone number
and (
  regex.contains(strings.replace_confusables(body.current_thread.text),
                 '\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}'
  )
  or regex.contains(strings.replace_confusables(body.current_thread.text),
                    '\+\d{1,3}[ilo0-9]{10}'
  )
  or // +12028001238
 regex.contains(strings.replace_confusables(body.current_thread.text),
                '[ilo0-9]{3}\.[ilo0-9]{3}\.[ilo0-9]{4}'
  )
  or // 202.800.1238
 regex.contains(strings.replace_confusables(body.current_thread.text),
                '[ilo0-9]{3}-[ilo0-9]{3}-[ilo0-9]{4}'
  )
  or // 202-800-1238
 regex.contains(strings.replace_confusables(body.current_thread.text),
                '\([ilo0-9]{3}\)\s[ilo0-9]{3}-[ilo0-9]{4}'
  )
  or // (202) 800-1238
 regex.contains(strings.replace_confusables(body.current_thread.text),
                '\([ilo0-9]{3}\)[\s-]+[ilo0-9]{3}[\s-]+[ilo0-9]{4}'
  )
  or // (202)-800-1238
 regex.contains(strings.replace_confusables(body.current_thread.text),
                '1 [ilo0-9]{3} [ilo0-9]{3} [ilo0-9]{4}'
  ) // 8123456789
  or regex.contains(strings.replace_confusables(body.current_thread.text),
                    '8\d{9}'
  )
)

// contains a request
and any(ml.nlu_classifier(body.current_thread.text).entities,
        .name == "request"
)

// sender is unsolicited
and not profile.by_sender().solicited

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "BEC/Fraud: Student loan callback phishing"
description: "This rule detects phishing emails that attempt to engage the recipient by soliciting a callback under the guise of student loan forgiveness or assistance. The messages often come from free email providers, lack a proper HTML structure, and include suspicious indicators such as phone numbers embedded in the text. These emails typically contain language urging the recipient to respond or take immediate action, leveraging urgency around student loan repayment to entice engagement."
type: "rule"
severity: "medium"
source: |
  type.inbound
  // there is no HTML body
  and body.html.raw is null
  
  // but the current thread contains what's most likely an html tag 
  // (eg. <>'s' followed by a closing </> )
  and regex.contains(body.current_thread.text, '<[^>]+>.*?</[^>]+>')
  
  // and the body mentions student loans
  and strings.icontains(body.current_thread.text, "Student Loan")
  
  // sourced from a free mail provider
  and sender.email.domain.root_domain in $free_email_providers
  
  // contains a phone number
  and (
    regex.contains(strings.replace_confusables(body.current_thread.text),
                   '\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}'
    )
    or regex.contains(strings.replace_confusables(body.current_thread.text),
                      '\+\d{1,3}[ilo0-9]{10}'
    )
    or // +12028001238
   regex.contains(strings.replace_confusables(body.current_thread.text),
                  '[ilo0-9]{3}\.[ilo0-9]{3}\.[ilo0-9]{4}'
    )
    or // 202.800.1238
   regex.contains(strings.replace_confusables(body.current_thread.text),
                  '[ilo0-9]{3}-[ilo0-9]{3}-[ilo0-9]{4}'
    )
    or // 202-800-1238
   regex.contains(strings.replace_confusables(body.current_thread.text),
                  '\([ilo0-9]{3}\)\s[ilo0-9]{3}-[ilo0-9]{4}'
    )
    or // (202) 800-1238
   regex.contains(strings.replace_confusables(body.current_thread.text),
                  '\([ilo0-9]{3}\)[\s-]+[ilo0-9]{3}[\s-]+[ilo0-9]{4}'
    )
    or // (202)-800-1238
   regex.contains(strings.replace_confusables(body.current_thread.text),
                  '1 [ilo0-9]{3} [ilo0-9]{3} [ilo0-9]{4}'
    ) // 8123456789
    or regex.contains(strings.replace_confusables(body.current_thread.text),
                      '8\d{9}'
    )
  )
  
  // contains a request
  and any(ml.nlu_classifier(body.current_thread.text).entities,
          .name == "request"
  )
  
  // sender is unsolicited
  and not profile.by_sender().solicited
  

attack_types:
  - "BEC/Fraud"
tactics_and_techniques:
  - "Free email provider"
  - "Out of band pivot"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Natural Language Understanding"
  - "Sender analysis"
id: "a71f82c3-36fe-54ca-ac72-ac65997525f5"