Detection rules › Sublime MQL
Callback scam: Impersonation via TimeTrade infrastructure
Detects callback scam messages that abuse legitimate TimeTrade sending infrastructure to impersonate well-known brands like McAfee, Norton, Geek Squad, PayPal, eBay, Symantec, Best Buy, or LifeLock. The message contains purchase, payment, or subscription-related terms along with a phone number, soliciting victims to call for fraudulent support.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Callback Phishing |
| Tactics and techniques | Impersonation: Brand, Out of band pivot, Social engineering |
Event coverage
| Message attribute |
|---|
| body.current_thread |
| sender.email |
| subject |
| type |
Rule body MQL
type.inbound
// Legitimate TimeTrade sending infratructure
and sender.email.domain.root_domain == 'timetrade.com'
// Callback Phishing
and regex.icontains(body.current_thread.text,
(
"mcafee|n[o0]rt[o0]n|geek.{0,5}squad|paypal|ebay|symantec|best buy|lifel[o0]ck"
)
)
and 3 of (
strings.ilike(body.current_thread.text, '*purchase*'),
strings.ilike(body.current_thread.text, '*payment*'),
strings.ilike(body.current_thread.text, '*transaction*'),
strings.ilike(body.current_thread.text, '*subscription*'),
strings.ilike(body.current_thread.text, '*antivirus*'),
strings.ilike(body.current_thread.text, '*order*'),
strings.ilike(body.current_thread.text, '*support*'),
strings.ilike(body.current_thread.text, '*help line*'),
strings.ilike(body.current_thread.text, '*receipt*'),
strings.ilike(body.current_thread.text, '*invoice*'),
strings.ilike(body.current_thread.text, '*call*'),
strings.ilike(body.current_thread.text, '*cancel*'),
strings.ilike(body.current_thread.text, '*renew*'),
strings.ilike(body.current_thread.text, '*refund*')
)
// phone number regex
and any([body.current_thread.text, subject.subject],
regex.icontains(.,
'\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
'\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
)
)
Detection logic
Scope: inbound message.
Detects callback scam messages that abuse legitimate TimeTrade sending infrastructure to impersonate well-known brands like McAfee, Norton, Geek Squad, PayPal, eBay, Symantec, Best Buy, or LifeLock. The message contains purchase, payment, or subscription-related terms along with a phone number, soliciting victims to call for fraudulent support.
- inbound message
- sender.email.domain.root_domain is 'timetrade.com'
- body.current_thread.text matches 'mcafee|n[o0]rt[o0]n|geek.{0,5}squad|paypal|ebay|symantec|best buy|lifel[o0]ck'
at least 3 of 14: body.current_thread.text matches any of 14 patterns
*purchase**payment**transaction**subscription**antivirus**order**support**help line**receipt**invoice**call**cancel**renew**refund*
any of
[body.current_thread.text, subject.subject]where:. matches any of 2 patterns
\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}
Inspects: body.current_thread.text, sender.email.domain.root_domain, subject.subject, type.inbound. Sensors: regex.icontains, strings.ilike.
Indicators matched (18)
| Field | Match | Value |
|---|---|---|
sender.email.domain.root_domain | equals | timetrade.com |
regex.icontains | regex | mcafee|n[o0]rt[o0]n|geek.{0,5}squad|paypal|ebay|symantec|best buy|lifel[o0]ck |
strings.ilike | substring | *purchase* |
strings.ilike | substring | *payment* |
strings.ilike | substring | *transaction* |
strings.ilike | substring | *subscription* |
strings.ilike | substring | *antivirus* |
strings.ilike | substring | *order* |
strings.ilike | substring | *support* |
strings.ilike | substring | *help line* |
strings.ilike | substring | *receipt* |
strings.ilike | substring | *invoice* |
6 more
strings.ilike | substring | *call* |
strings.ilike | substring | *cancel* |
strings.ilike | substring | *renew* |
strings.ilike | substring | *refund* |
regex.icontains | regex | \+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4} |
regex.icontains | regex | \+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4} |