Add detection rule for Google Meet callback phishing (#3606)

peterdj45 · ID Generator · web-flow · commit 4b68c9573b44 · 2025-12-03T21:32:10.000Z
Co-authored-by: ID Generator &lt;hello@sublimesecurity.com&gt;
diff --git a/detection-rules/callback_phishing_google_meet.yml b/detection-rules/callback_phishing_google_meet.yml
@@ -0,0 +1,53 @@
+name: "Callback phishing via Google Meet"
+description: "Detects Google Meet invitations that include callback phishing content in the body, impersonating brands like McAfee, Norton, PayPal, or Best Buy with purchase-related language and phone numbers to solicit victim contact."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and length(attachments) == 2
+  and all(attachments, .content_type == "text/calendar" or .file_extension == "ics")
+  and strings.starts_with(subject.base, "Invitation:")
+  // Google Meet indicators
+  and (
+    any(body.links,
+        .display_text == "Join with Google Meet"
+        and .href_url.domain.domain == "meet.google.com"
+    )
+  )
+  and (
+    (
+      regex.icontains(body.current_thread.text,
+                          (
+                            "mcafee|norton|geek.{0,5}squad|paypal|ebay|symantec|best buy|lifelock"
+                          )
+      )
+      and 3 of (
+        strings.ilike(body.current_thread.text, '*purchase*'),
+        strings.ilike(body.current_thread.text, '*payment*'),
+        strings.ilike(body.current_thread.text, '*transaction*'),
+        strings.ilike(body.current_thread.text, '*subscription*'),
+        strings.ilike(body.current_thread.text, '*antivirus*'),
+        strings.ilike(body.current_thread.text, '*order*'),
+        strings.ilike(body.current_thread.text, '*support*'),
+        strings.ilike(body.current_thread.text, '*help line*'),
+        strings.ilike(body.current_thread.text, '*receipt*'),
+        strings.ilike(body.current_thread.text, '*invoice*'),
+        strings.ilike(body.current_thread.text, '*call*'),
+        strings.ilike(body.current_thread.text, '*cancel*'),
+        strings.ilike(body.current_thread.text, '*renew*'),
+        strings.ilike(body.current_thread.text, '*refund*')
+      )
+      // toll-free phone number regex
+      and any([body.current_thread.text, subject.subject],
+              regex.icontains(., '\b\+?(\d{1}.)?\(?8\d{2}?\)?.\d{3}.?\d{4}\b')
+      )
+    )
+  )
+
+attack_types:
+  - "Callback Phishing"
+tactics_and_techniques:
+  - "Out of band pivot"
+detection_methods:
+  - "Content analysis"
+id: "70e01845-b815-5be5-87ac-11ae7477367e"
