← Back to Explore
sublimemediumRule
Service abuse: Google classroom solicitation
Detects messages spoofing Google Classroom notifications that contain WhatsApp contact information, phone numbers, or sexually explicit content. The rule identifies emails from no-reply@classroom.google.com that include WhatsApp invitations, emojis in the subject line, or explicit sexual language, as well as phone numbers and WhatsApp references in message screenshots from first-time senders.
Detection Query
type.inbound
//
// Warning: This rule contains sexually explicit keywords
//
and sender.email.email == "no-reply@classroom.google.com"
and any(regex.iextract(body.html.display_text,
'(?P<sender_email>(?P<sender_name>[a-zA-Z0-9._%+-]+)@(?P<sender_domain>[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}))'
),
.named_groups["sender_email"] not in $sender_emails
and .named_groups["sender_email"] not in $recipient_emails
)
and (
// check for a WhatsApp invitation in the currend_thread
(
regex.icontains(body.current_thread.text, '\bWhatsapp:?.[:0-9+ ]{7,20}\b')
or (
strings.icontains(body.current_thread.text, "WhatsApp")
and strings.icontains(body.current_thread.text, "invited")
)
// look for an emoji in the subject
or (
regex.icontains(subject.subject,
'[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]'
)
)
// look for sexually explicit subject titles
or regex.icontains(subject.subject,
'(?:give me|your satisfaction|sex|horny|cock|fuck|\bass\b|pussy|dick|tits|cum|girlfriend|boyfriend|naked|porn|video|webcam|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|xxx|nudes?|sexting|cheating|affair|erotic|\blust\b|desire|intimate|explicit|fetish|kinky|seduce|adult community|cam shows|local (?:girls?|women|single)|hook.?up|bed partner)'
)
)
// check for WhatsApp invitation within the OCR of an attachment.
or (
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
regex.icontains(beta.ocr(file.message_screenshot()).text,
// International format with OCR-friendly character classes
'\+?[ilo0-9]{1,3}[\s\.\-⋅]?\(?[ilo0-9]{3}\)?[\s\.\-⋅]{0,3}[ilo0-9]{3}[\s\.\-⋅]{0,3}[ilo0-9]{3,4}',
// US format
'\(?[ilo0-9]{3}\)?[\s\.\-⋅]{0,3}[ilo0-9]{3}[\s\.\-⋅]{0,3}[ilo0-9]{4}',
)
// and mentions of WhatsApp in the screenshot
and (
regex.icontains(beta.ocr(file.message_screenshot()).text,
'[Ww]hats[Aa]pp|[Ww]hatsapp'
)
or regex.icontains(beta.ocr(file.message_screenshot()).text, // WhatsApp-specific format
'[Ww]hats[Aa]pp:?[\s]*[+]?[ilo0-9\s\.\-⋅\(\)]{10,18}'
)
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Service abuse: Google classroom solicitation"
description: "Detects messages spoofing Google Classroom notifications that contain WhatsApp contact information, phone numbers, or sexually explicit content. The rule identifies emails from no-reply@classroom.google.com that include WhatsApp invitations, emojis in the subject line, or explicit sexual language, as well as phone numbers and WhatsApp references in message screenshots from first-time senders."
type: "rule"
severity: "medium"
source: |
type.inbound
//
// Warning: This rule contains sexually explicit keywords
//
and sender.email.email == "no-reply@classroom.google.com"
and any(regex.iextract(body.html.display_text,
'(?P<sender_email>(?P<sender_name>[a-zA-Z0-9._%+-]+)@(?P<sender_domain>[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}))'
),
.named_groups["sender_email"] not in $sender_emails
and .named_groups["sender_email"] not in $recipient_emails
)
and (
// check for a WhatsApp invitation in the currend_thread
(
regex.icontains(body.current_thread.text, '\bWhatsapp:?.[:0-9+ ]{7,20}\b')
or (
strings.icontains(body.current_thread.text, "WhatsApp")
and strings.icontains(body.current_thread.text, "invited")
)
// look for an emoji in the subject
or (
regex.icontains(subject.subject,
'[\x{1F300}-\x{1F5FF}\x{1F600}-\x{1F64F}\x{1F680}-\x{1F6FF}\x{1F700}-\x{1F77F}\x{1F780}-\x{1F7FF}\x{1F900}-\x{1F9FF}\x{2600}-\x{26FF}\x{2700}-\x{27BF}\x{2300}-\x{23FF}]'
)
)
// look for sexually explicit subject titles
or regex.icontains(subject.subject,
'(?:give me|your satisfaction|sex|horny|cock|fuck|\bass\b|pussy|dick|tits|cum|girlfriend|boyfriend|naked|porn|video|webcam|masturbate|orgasm|breasts|penis|vagina|strip|suck|blowjob|hardcore|xxx|nudes?|sexting|cheating|affair|erotic|\blust\b|desire|intimate|explicit|fetish|kinky|seduce|adult community|cam shows|local (?:girls?|women|single)|hook.?up|bed partner)'
)
)
// check for WhatsApp invitation within the OCR of an attachment.
or (
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
regex.icontains(beta.ocr(file.message_screenshot()).text,
// International format with OCR-friendly character classes
'\+?[ilo0-9]{1,3}[\s\.\-⋅]?\(?[ilo0-9]{3}\)?[\s\.\-⋅]{0,3}[ilo0-9]{3}[\s\.\-⋅]{0,3}[ilo0-9]{3,4}',
// US format
'\(?[ilo0-9]{3}\)?[\s\.\-⋅]{0,3}[ilo0-9]{3}[\s\.\-⋅]{0,3}[ilo0-9]{4}',
)
// and mentions of WhatsApp in the screenshot
and (
regex.icontains(beta.ocr(file.message_screenshot()).text,
'[Ww]hats[Aa]pp|[Ww]hatsapp'
)
or regex.icontains(beta.ocr(file.message_screenshot()).text, // WhatsApp-specific format
'[Ww]hats[Aa]pp:?[\s]*[+]?[ilo0-9\s\.\-⋅\(\)]{10,18}'
)
)
)
)
attack_types:
- "Callback Phishing"
- "BEC/Fraud"
tactics_and_techniques:
- "Impersonation: Brand"
- "Out of band pivot"
- "Social engineering"
detection_methods:
- "Content analysis"
- "Header analysis"
- "Sender analysis"
id: "e9c39e92-4817-535a-91f9-13ad68885ff9"