Skip to content

Commit af65a8d

Browse files
authored
Update callback phishing via zoom comment rule
Added additional conditions to detect callback phishing related to host keys.
1 parent 8d9d528 commit af65a8d

File tree

1 file changed

+5
-1
lines changed

1 file changed

+5
-1
lines changed

detection-rules/callback_phishing_zoom_comment.yml

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,9 @@ source: |
1919
"mcafee|n[o0]rt[o0]n|geek.{0,5}squad|paypal|ebay|symantec|best buy|lifel[o0]ck"
2020
)
2121
)
22+
and any(ml.nlu_classifier(body.current_thread.text).intents,
23+
.name == "callback_scam" and .confidence != "low"
24+
)
2225
and 3 of (
2326
strings.ilike(body.current_thread.text, '*purchase*'),
2427
strings.ilike(body.current_thread.text, '*payment*'),
@@ -33,7 +36,8 @@ source: |
3336
strings.ilike(body.current_thread.text, '*call*'),
3437
strings.ilike(body.current_thread.text, '*cancel*'),
3538
strings.ilike(body.current_thread.text, '*renew*'),
36-
strings.ilike(body.current_thread.text, '*refund*')
39+
strings.ilike(body.current_thread.text, '*refund*'),
40+
strings.ilike(body.current_thread.text, '*host key*')
3741
)
3842
// phone number regex
3943
and any([body.current_thread.text, subject.subject],

0 commit comments

Comments
 (0)