sublime-security · IndiaAce · Oct 22, 2025 · Oct 22, 2025 · Oct 24, 2025
@@ -0,0 +1,60 @@
+name: "Attachment: Credit card application with WhatsApp contact"
+description: "Detects messages containing promotional credit card offers with attached forms requesting extensive personal information (PII) and directing victims to contact via WhatsApp, indicating potential fraud."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  // promotional/advertising content targeting financial services
+  and (
+    (
+      regex.icontains(body.current_thread.text,
+                      "credit card.*offer|promotional.*credit|free.*credit card|lifetime.*free|special offer"
+      )
+      or regex.icontains(subject.subject,
+                         "credit card.*offer|promotional.*credit|free.*credit card|lifetime.*free"
+      )
+    )
+    and any(ml.nlu_classifier(body.current_thread.text).topics,
+            .name in ("Advertising and Promotions")
+    )
+  )
+  // PII harvesting template in attachments (3+ of these patterns)
+  and any(attachments,
+          any(file.explode(.),
+              3 of (
+                regex.icontains(.scan.strings.raw, "Credit Card Application"),
+                regex.icontains(.scan.strings.raw, "Date of Birth"),
+                regex.icontains(.scan.strings.raw, "[eE]mail"),
+                regex.icontains(.scan.strings.raw, "[aA]ddress"),
+                regex.icontains(.scan.strings.raw, "Contact No"),
+                regex.icontains(.scan.strings.raw, "Pan No"),
+                regex.icontains(.scan.strings.raw, "ADHAAR"),
+                regex.icontains(.scan.strings.raw, "Annual.*salary"),
+                regex.icontains(.scan.strings.raw, "Mother Name"),
+                regex.icontains(.scan.strings.raw, "Father Name"),
+                regex.icontains(.scan.strings.raw, "SINGLE.*MARRIED")
+              )
+          )
+  )
+  // WhatsApp contact method (suspicious for legitimate financial institutions)
+  and (
+    regex.icontains(body.current_thread.text, "whatsapp")
+    or any(attachments,
+           any(file.explode(.), regex.icontains(.scan.qr.url.url, "wa\\.me"))
+    )
+    or any(file.explode(file.message_screenshot()),
+           regex.icontains(.scan.qr.url.url, "wa\\.me")
+    )
+  )
+
+attack_types:
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Social engineering"
+  - "Out of band pivot"
+detection_methods:
+  - "Content analysis"
+  - "File analysis"
+  - "Natural Language Understanding"
+  - "QR code analysis"
+id: "95b08315-93a6-5005-8f38-ff597eb9f947"