Detection rules › Sublime MQL
Callback phishing via Apple ID display name abuse
Detects callback phishing that abuses legitimate Apple ID notification emails as a delivery mechanism. The threat actor sets their Apple ID display name to a callback scam lure (e.g., a fake charge with a phone number), which Apple then embeds in the "Dear [name]" greeting of a routine account change notification. This legitimate email is forwarded to multiple targets via a distribution list, bypassing sender reputation checks since it originates from Apple's real infrastructure. The rule extracts the name field from the greeting and applies NLU classification to detect callback scam language within it.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Callback Phishing |
| Tactics and techniques | Impersonation: Brand, Out of band pivot, Social engineering |
Event coverage
| Message attribute |
|---|
| body |
| body.current_thread |
| recipients.to (collection) |
| sender.email |
| type |
Rule body MQL
type.inbound
and sender.email.email == "appleid@id.apple.com"
and (
// the actor controls the name portion of the apple account, so extract that
// english starts with Dear, but other language might start with Hello,
// the email template and html div class names are the same between languages
any(html.xpath(body.html, '//div[@class="email-body"]').nodes,
any(regex.iextract(.display_text, '^(?P<first_line>[^\n]+)\n'),
// NLU catches the actor controlled values as callback
any(ml.nlu_classifier(beta.ml_translate(.named_groups["first_line"]).text
).intents,
.name == "callback_scam"
)
// we have to account for NLU not catching it as callback_scam
// this catches more than one digit followed by all capital letters
// 599 USD, we use the unicode category Lu for capital letters from a bunch of languges
or (
any(regex.extract(beta.ml_translate(.named_groups["first_line"]).text,
'(\d{2,} \p{Lu}{2,5} )'
),
not regex.icontains(.full_match, '[AP]M\s+$')
)
)
// commonly observed phrase "if not you call"
or strings.icontains(.named_groups["first_line"], "If not you call")
// first line ends in a phone number
or regex.contains(.named_groups["first_line"], '\d+,$')
)
)
// the email address of the apple account appears in the body of the message
or (
any(body.current_thread.links,
.parser == "plain"
and .href_url.scheme == "mailto"
// actor observed using `appleservice207@icloud.com`
and (
(
strings.istarts_with(strings.parse_email(.href_url.url).local_part,
'apple'
)
and strings.parse_email(.href_url.url).domain.domain not in $org_domains
)
// newly registered domains like peekaboo.baby
or network.whois(.href_url.domain).days_old < 30
)
)
)
)
and not recipients.to[0].email.domain.domain in $org_domains
Detection logic
Scope: inbound message.
Detects callback phishing that abuses legitimate Apple ID notification emails as a delivery mechanism. The threat actor sets their Apple ID display name to a callback scam lure (e.g., a fake charge with a phone number), which Apple then embeds in the "Dear [name]" greeting of a routine account change notification. This legitimate email is forwarded to multiple targets via a distribution list, bypassing sender reputation checks since it originates from Apple's real infrastructure. The rule extracts the name field from the greeting and applies NLU classification to detect callback scam language within it.
- inbound message
- sender.email.email is 'appleid@id.apple.com'
any of:
any of
html.xpath(body.html, '//div[@class="email-body"]').nodeswhere:any of
regex.iextract(.display_text)where any holds:any of
ml.nlu_classifier(beta.ml_translate(.named_groups['first_line']).text).intentswhere:- .name is 'callback_scam'
any of
regex.extract(...)where:not:
- .full_match matches '[AP]M\\s+$'
- .named_groups['first_line'] contains 'If not you call'
- .named_groups['first_line'] matches '\\d+,$'
any of
body.current_thread.linkswhere all hold:- .parser is 'plain'
- .href_url.scheme is 'mailto'
any of:
all of:
- strings.parse_email(.href_url.url).local_part starts with 'apple'
- strings.parse_email(.href_url.url).domain.domain not in $org_domains
- network.whois(.href_url.domain).days_old < 30
not:
- recipients.to[0].email.domain.domain in $org_domains
Inspects: body.current_thread.links, body.current_thread.links[].href_url.domain, body.current_thread.links[].href_url.scheme, body.current_thread.links[].href_url.url, body.current_thread.links[].parser, body.html, recipients.to[0].email.domain.domain, sender.email.email, type.inbound. Sensors: beta.ml_translate, html.xpath, ml.nlu_classifier, network.whois, regex.contains, regex.extract, regex.icontains, regex.iextract, strings.icontains, strings.istarts_with, strings.parse_email. Reference lists: $org_domains.
Indicators matched (10)
| Field | Match | Value |
|---|---|---|
sender.email.email | equals | appleid@id.apple.com |
regex.iextract | regex | ^(?P<first_line>[^\n]+)\n |
ml.nlu_classifier(beta.ml_translate(regex.iextract(html.xpath(body.html, '//div[@class="email-body"]').nodes[].display_text)[].named_groups['first_line']).text).intents[].name | equals | callback_scam |
regex.extract | regex | (\d{2,} \p{Lu}{2,5} ) |
regex.icontains | regex | [AP]M\s+$ |
strings.icontains | substring | If not you call |
regex.contains | regex | \d+,$ |
body.current_thread.links[].parser | equals | plain |
body.current_thread.links[].href_url.scheme | equals | mailto |
strings.istarts_with | prefix | apple |