heroui logo

Service abuse: Oracle Cloud Workflow callback scam

Sublime Rules

View Source
Summary
This rule detects inbound messages delivered via Oracle Cloud's workflow mail domain (workflow.mail.us2.cloud.oracle.com) that carry callback scam content embedded in styled HTML table cells. It narrows to messages where the sender domain matches the Oracle workflow endpoint, then inspects the HTML body for a td element styled with padding: 20px 40px containing a font element with an empty style attribute. If matched, it applies a natural language understanding (NLU) classifier to the inner text and triggers when the classifier reports an intent named 'callback_scam' with confidence higher than 'low'. When both HTML-pattern and NLU signals are present, the rule fires at a medium severity level. This detects abuse of legitimate Oracle Cloud infrastructure to deliver fraudulent callback content, i.e., callback phishing. Detection methods include: Sender analysis, HTML content analysis, and Natural Language Understanding. Tactics and techniques involved are social engineering and brand impersonation.
Categories
  • Cloud
  • Web
Data Sources
  • Network Traffic
Created: 2026-07-11