Detection rules › Sublime MQL
Callback phishing via Yammer comment
Detects callback scams sent through Yammer infrastructure containing suspicious payment-related keywords and phone numbers. The rule identifies messages with callback scam language patterns or multiple financial transaction terms combined with phone number patterns in the message body or subject line.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Callback Phishing |
| Tactics and techniques | Impersonation: Brand, Out of band pivot, Social engineering |
Event coverage
| Message attribute |
|---|
| body.current_thread |
| sender.email |
| subject |
| type |
Rule body MQL
type.inbound
// message from Yammer sending infratructure
and sender.email.domain.root_domain == 'yammer.com'
and length(body.current_thread.text) < 2000
// Callback Phishing
and (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name in ("callback_scam") and .confidence in ("medium", "high")
)
or 3 of (
strings.ilike(body.current_thread.text, '*purchase*'),
strings.ilike(body.current_thread.text, '*payment*'),
strings.ilike(body.current_thread.text, '*transaction*'),
strings.ilike(body.current_thread.text, '*subscription*'),
strings.ilike(body.current_thread.text, '*antivirus*'),
strings.ilike(body.current_thread.text, '*order*'),
strings.ilike(body.current_thread.text, '*support*'),
strings.ilike(body.current_thread.text, '*help line*'),
strings.ilike(body.current_thread.text, '*receipt*'),
strings.ilike(body.current_thread.text, '*invoice*'),
strings.ilike(body.current_thread.text, '*call*'),
strings.ilike(body.current_thread.text, '*cancel*'),
strings.ilike(body.current_thread.text, '*renew*'),
strings.ilike(body.current_thread.text, '*refund*')
)
)
// phone number regex
and any([body.current_thread.text, subject.subject],
regex.icontains(.,
'\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
'\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
)
)
// negate benign threads
and not any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "benign" and .confidence == "high"
)
Detection logic
Scope: inbound message.
Detects callback scams sent through Yammer infrastructure containing suspicious payment-related keywords and phone numbers. The rule identifies messages with callback scam language patterns or multiple financial transaction terms combined with phone number patterns in the message body or subject line.
- inbound message
- sender.email.domain.root_domain is 'yammer.com'
- length(body.current_thread.text) < 2000
any of:
any of
ml.nlu_classifier(body.current_thread.text).intentswhere all hold:- .name in ('callback_scam')
- .confidence in ('medium', 'high')
at least 3 of 14: body.current_thread.text matches any of 14 patterns
*purchase**payment**transaction**subscription**antivirus**order**support**help line**receipt**invoice**call**cancel**renew**refund*
any of
[body.current_thread.text, subject.subject]where:. matches any of 2 patterns
\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}
not:
any of
ml.nlu_classifier(body.current_thread.text).intentswhere all hold:- .name is 'benign'
- .confidence is 'high'
Inspects: body.current_thread.text, sender.email.domain.root_domain, subject.subject, type.inbound. Sensors: ml.nlu_classifier, regex.icontains, strings.ilike.
Indicators matched (22)
| Field | Match | Value |
|---|---|---|
sender.email.domain.root_domain | equals | yammer.com |
ml.nlu_classifier(body.current_thread.text).intents[].name | member | callback_scam |
ml.nlu_classifier(body.current_thread.text).intents[].confidence | member | medium |
ml.nlu_classifier(body.current_thread.text).intents[].confidence | member | high |
strings.ilike | substring | *purchase* |
strings.ilike | substring | *payment* |
strings.ilike | substring | *transaction* |
strings.ilike | substring | *subscription* |
strings.ilike | substring | *antivirus* |
strings.ilike | substring | *order* |
strings.ilike | substring | *support* |
strings.ilike | substring | *help line* |
10 more
strings.ilike | substring | *receipt* |
strings.ilike | substring | *invoice* |
strings.ilike | substring | *call* |
strings.ilike | substring | *cancel* |
strings.ilike | substring | *renew* |
strings.ilike | substring | *refund* |
regex.icontains | regex | \+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4} |
regex.icontains | regex | \+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4} |
ml.nlu_classifier(body.current_thread.text).intents[].name | equals | benign |
ml.nlu_classifier(body.current_thread.text).intents[].confidence | equals | high |