[Test Rules] [PR #4317] added rule: Body: Fake conversation with spouse mention and video call request

github-actions[bot] · github-actions[bot] · commit 02c0baa908ed · 2026-04-06T20:43:18.000Z
diff --git a/detection-rules/4317_body_spouse_fake_call.yml b/detection-rules/4317_body_spouse_fake_call.yml
@@ -0,0 +1,61 @@
+name: "Body: Fake conversation with spouse mention and video call request"
+description: "Detects messages with fake thread history containing references to a spouse combined with requests for video calls using platforms like Zoom or Google Meet."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and length(body.previous_threads) >= 3
+  and (
+    (
+      strings.icontains(body.previous_threads[length(body.previous_threads) - 2].text,
+                        "wife and i"
+      )
+      or strings.icontains(body.previous_threads[length(body.previous_threads) - 2].text,
+                           "husband and i"
+      )
+    )
+    and strings.icontains(body.previous_threads[length(body.previous_threads) - 2].text,
+                          "call"
+    )
+    and (
+      strings.icontains(body.previous_threads[length(body.previous_threads) - 2].text,
+                        "zoom"
+      )
+      or strings.icontains(body.previous_threads[length(body.previous_threads) - 2].text,
+                           "google meet"
+      )
+    )
+  )
+  or (
+    (
+      strings.icontains(body.previous_threads[length(body.previous_threads) - 3].text,
+                        "wife and i"
+      )
+      or strings.icontains(body.previous_threads[length(body.previous_threads) - 3].text,
+                           "husband and i"
+      )
+    )
+    and strings.icontains(body.previous_threads[length(body.previous_threads) - 3].text,
+                          "call"
+    )
+    and (
+      strings.icontains(body.previous_threads[length(body.previous_threads) - 3].text,
+                        "zoom"
+      )
+      or strings.icontains(body.previous_threads[length(body.previous_threads) - 3].text,
+                           "google meet"
+      )
+    )
+  )
+
+attack_types:
+  - "BEC/Fraud"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+id: "5b7a2e34-fda0-5aa7-ac6a-2bdd2c91dc05"
+og_id: "bd23f3b2-a1e5-5a7c-ab0c-c15d4c4458f5"
+testing_pr: 4317
+testing_sha: e65f9eecf2771cc426769431909a29ade310ee85
