[PR #3428] added rule: Attachment: Credit card application with WhatsApp contact

github-actions[bot] · github-actions[bot] · commit a11f9ae4d86f · 2025-10-22T14:35:00.000Z
diff --git a/detection-rules/3428_attachment_creditcard_application_with_whatsapp.yml b/detection-rules/3428_attachment_creditcard_application_with_whatsapp.yml
@@ -0,0 +1,61 @@
+name: "Attachment: Credit card application with WhatsApp contact"
+description: "Detects messages containing promotional credit card offers with attached forms requesting extensive personal information (PII) and directing victims to contact via WhatsApp, indicating potential fraud."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  // promotional/advertising content targeting financial services
+  and (
+    regex.icontains(body.current_thread.text,
+                    "credit card.*offer|promotional.*credit|free.*credit card|lifetime.*free|special offer"
+    )
+    or regex.icontains(subject.subject,
+                       "credit card.*offer|promotional.*credit|free.*credit card|lifetime.*free"
+    )
+    or any(ml.nlu_classifier(body.current_thread.text).topics,
+           .name in ("Advertising and Promotions")
+    )
+  )
+  // PII harvesting template in attachments (3+ of these patterns)
+  and any(attachments,
+          any(file.explode(.),
+              3 of (
+                regex.icontains(.scan.strings.raw, "Credit Card Application"),
+                regex.icontains(.scan.strings.raw, "Date of Birth"),
+                regex.icontains(.scan.strings.raw, "[eE]mail"),
+                regex.icontains(.scan.strings.raw, "[aA]ddress"),
+                regex.icontains(.scan.strings.raw, "Contact No"),
+                regex.icontains(.scan.strings.raw, "Pan No"),
+                regex.icontains(.scan.strings.raw, "ADHAAR"),
+                regex.icontains(.scan.strings.raw, "Annual.*salary"),
+                regex.icontains(.scan.strings.raw, "Mother Name"),
+                regex.icontains(.scan.strings.raw, "Father Name"),
+                regex.icontains(.scan.strings.raw, "SINGLE.*MARRIED")
+              )
+          )
+  )
+  // WhatsApp contact method (suspicious for legitimate financial institutions)
+  and (
+    regex.icontains(body.current_thread.text, "whatsapp")
+    or any(attachments,
+           any(file.explode(.), regex.icontains(.scan.qr.url.url, "wa\\.me"))
+    )
+    or any(file.explode(file.message_screenshot()),
+           regex.icontains(.scan.qr.url.url, "wa\\.me")
+    )
+  )
+
+attack_types:
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Social engineering"
+  - "Out of band pivot"
+detection_methods:
+  - "Content analysis"
+  - "File analysis"
+  - "Natural Language Understanding"
+  - "QR code analysis"
+id: "aaeb35de-1b50-5222-ae9d-6b2fd167bb8a"
+og_id: "95b08315-93a6-5005-8f38-ff597eb9f947"
+testing_pr: 3428
+testing_sha: 75d66d2a1b9c365689b718a9e47a80d99a87e3ce
