heroui logo

Service abuse: Facebook mail notification callback scam

Sublime Rules

View Source
Summary
This rule detects inbound messages that spoof Facebook's official notification sender to facilitate a callback scam. It triggers when the email originates from notification@facebookmail.com and the displayed name is not the expected 'Facebook' (indicating display-name spoofing). It further requires that a Natural Language Understanding (NLU) classifier applied to the message body (body.current_thread.text) identifies an intent named 'callback_scam' with a confidence that is not 'low' (i.e., medium or high). By combining sender analysis with NLP-based intent detection, the rule flags potential social-engineering attempts that abuse a trusted brand to coerce victims into contacting fraudulent phone numbers. Attack surface includes email clients and related endpoints where such messages are received. Potential limitations include classifier coverage and legitimate variations in how legitimate Facebook communications present themselves. Recommended mitigations include user education, verifying communications via official Facebook channels, domain-based protections, and enabling additional verification (e.g., MFA).
Categories
  • Endpoint
  • Web
Data Sources
  • Process
Created: 2026-07-09