[Test Rules] [PR #4300] added rule: Attachment: Callback scam file extension

Author: github-actions[bot]

detection-rules/4300_callback_scam_file_extension.yml

@@ -0,0 +1,29 @@
+name: "Attachment: Callback scam file extension"
+description: "Detects inbound messages with short or no text content containing an attachment that exhibit callback scam characteristics, sent from untrusted domains."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and (body.current_thread.text is null or length(body.current_thread.text) < 500)
+  and any(attachments,
+          (.file_extension in~ ("ppt", "pptx"))
+          and (
+            any(file.explode(.),
+                any(ml.nlu_classifier(.scan.strings.raw).intents,
+                    .name == "callback_scam" and .confidence != "low"
+                )
+            )
+          )
+  )
+  and not sender.email.domain.root_domain in $high_trust_sender_root_domains
+attack_types:
+  - "Callback Phishing"
+tactics_and_techniques:
+  - "Social engineering"
+detection_methods:
+  - "File analysis"
+  - "Sender analysis"
+id: "17aeb612-ba56-50aa-871a-110a553f3339"
+og_id: "769b3333-4cde-544c-a081-ef9a75dddd24"
+testing_pr: 4300
+testing_sha: 6f611f8b243d9f4bd642573fe1420dc9eaa48c85