[PR #3094] changed rule: Google Classroom Spoofing With WhatsApp Contact Information

github-actions[bot] · github-actions[bot] · commit b2edba40202f · 2025-08-18T15:08:22.000Z
diff --git a/detection-rules/3094_abuse_google_classroom.yml b/detection-rules/3094_abuse_google_classroom.yml
@@ -0,0 +1,30 @@
+name: "Google Classroom Spoofing With WhatsApp Contact Information"
+description: "Detects messages impersonating Google Classroom notifications that contain WhatsApp contact information, likely attempting to redirect victims to out-of-band communication channels for social engineering attacks."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and sender.email.email == "no-reply@classroom.google.com"
+  and (
+    regex.icontains(body.current_thread.text, '\bWhatsapp:?.[:0-9+ ]{7,20}\b')
+    or (
+      strings.icontains(body.current_thread.text, "WhatsApp")
+      and strings.icontains(body.current_thread.text, "invited")
+    )
+  )
+
+attack_types:
+  - "Callback Phishing"
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Out of band pivot"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Header analysis"
+  - "Sender analysis"
+id: "8e931efb-2d86-58b6-ae0e-2a7c1fd11c97"
+og_id: "e9c39e92-4817-535a-91f9-13ad68885ff9"
+testing_pr: 3094
+testing_sha: 3b3d41b30bbd4df2faa70de2dc92205a0585dd20
