BEC/Fraud: Student loan callback phishing

Severity: medium
Type: rule
Source: github.com/sublime-security/sublime-rules

This rule detects phishing emails that attempt to engage the recipient by soliciting a callback under the guise of student loan forgiveness or assistance. The messages often come from free email providers, lack a proper HTML structure, and include suspicious indicators such as phone numbers embedded in the text. These emails typically contain language urging the recipient to respond or take immediate action, leveraging urgency around student loan repayment to entice engagement.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

Category	Values
Attack types	BEC/Fraud
Tactics and techniques	Free email provider, Out of band pivot, Social engineering

Event coverage

Message attribute
body.current_thread
body.html
sender.email
type

Rule body MQL

type.inbound
// there is no HTML body
and body.html.raw is null

// but the current thread contains what's most likely an html tag
// (eg. <>'s' followed by a closing </> )
and regex.contains(body.current_thread.text, '<[^>]+>.*?</[^>]+>')

// and the body mentions student loans
and strings.icontains(body.current_thread.text, "Student Loan")

// sourced from a free mail provider
and sender.email.domain.root_domain in $free_email_providers

// contains a phone number
and (
  regex.contains(strings.replace_confusables(body.current_thread.text),
                 '\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}'
  )
  or regex.contains(strings.replace_confusables(body.current_thread.text),
                    '\+\d{1,3}[ilo0-9]{10}'
  )
  // +12028001238
  or regex.contains(strings.replace_confusables(body.current_thread.text),
                    '[ilo0-9]{3}\.[ilo0-9]{3}\.[ilo0-9]{4}'
  )
  // 202.800.1238
  or regex.contains(strings.replace_confusables(body.current_thread.text),
                    '[ilo0-9]{3}-[ilo0-9]{3}-[ilo0-9]{4}'
  )
  // 202-800-1238
  or regex.contains(strings.replace_confusables(body.current_thread.text),
                    '\([ilo0-9]{3}\)\s[ilo0-9]{3}-[ilo0-9]{4}'
  )
  // (202) 800-1238
  or regex.contains(strings.replace_confusables(body.current_thread.text),
                    '\([ilo0-9]{3}\)[\s-]+[ilo0-9]{3}[\s-]+[ilo0-9]{4}'
  )
  // (202)-800-1238
  or regex.contains(strings.replace_confusables(body.current_thread.text),
                    '1 [ilo0-9]{3} [ilo0-9]{3} [ilo0-9]{4}'
  ) // 8123456789
  or regex.contains(strings.replace_confusables(body.current_thread.text),
                    '8\d{9}'
  )
)

// contains a request
and any(ml.nlu_classifier(body.current_thread.text).entities,
        .name == "request"
)

Detection logic

Scope: inbound message.

inbound message
body.html.raw is missing
body.current_thread.text matches '<[^>]+>.*?</[^>]+>'
body.current_thread.text contains 'Student Loan'
sender.email.domain.root_domain in $free_email_providers
strings.replace_confusables(body.current_thread.text) matches any of 8 patterns
- \+?(\d{1}.)?$?\d{3}?$?.\d{3}.?\d{4}
- \+\d{1,3}[ilo0-9]{10}
- [ilo0-9]{3}\.[ilo0-9]{3}\.[ilo0-9]{4}
- [ilo0-9]{3}-[ilo0-9]{3}-[ilo0-9]{4}
- $[ilo0-9]{3}$\s[ilo0-9]{3}-[ilo0-9]{4}
- $[ilo0-9]{3}$[\s-]+[ilo0-9]{3}[\s-]+[ilo0-9]{4}
- 1 [ilo0-9]{3} [ilo0-9]{3} [ilo0-9]{4}
- 8\d{9}
any of ml.nlu_classifier(body.current_thread.text).entities where:
- .name is 'request'

Inspects: body.current_thread.text, body.html.raw, sender.email.domain.root_domain, type.inbound. Sensors: ml.nlu_classifier, regex.contains, strings.icontains, strings.replace_confusables. Reference lists: $free_email_providers.

Indicators matched (11)

Field	Match	Value
`regex.contains`	regex	`<[^>]+>.*?</[^>]+>`
`strings.icontains`	substring	`Student Loan`
`regex.contains`	regex	`\+?(\d{1}.)?$?\d{3}?$?.\d{3}.?\d{4}`
`regex.contains`	regex	`\+\d{1,3}[ilo0-9]{10}`
`regex.contains`	regex	`[ilo0-9]{3}\.[ilo0-9]{3}\.[ilo0-9]{4}`
`regex.contains`	regex	`[ilo0-9]{3}-[ilo0-9]{3}-[ilo0-9]{4}`
`regex.contains`	regex	`$[ilo0-9]{3}$\s[ilo0-9]{3}-[ilo0-9]{4}`
`regex.contains`	regex	`$[ilo0-9]{3}$[\s-]+[ilo0-9]{3}[\s-]+[ilo0-9]{4}`
`regex.contains`	regex	`1 [ilo0-9]{3} [ilo0-9]{3} [ilo0-9]{4}`
`regex.contains`	regex	`8\d{9}`
`ml.nlu_classifier(body.current_thread.text).entities[].name`	equals	`request`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)