Service abuse: Payoneer callback scam
A fraudulent invoice/receipt found in the body of the message sent by leveraging Payoneer's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
Sublime rule (View on GitHub)
1name: "Service abuse: Payoneer callback scam"
2description: "A fraudulent invoice/receipt found in the body of the message sent by leveraging Payoneer's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(attachments) == 0
8 and sender.email.domain.root_domain in ("payoneer.com")
9 and (
10 (
11 // icontains a phone number
12 (
13 regex.icontains(strings.replace_confusables(body.current_thread.text),
14 '.*\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}.*\n'
15 )
16 or regex.icontains(strings.replace_confusables(body.current_thread.text),
17 '.*\+[ilo0-9]{1,3}[ilo0-9]{10}.*\n'
18 )
19 or // +12028001238
20 regex.icontains(strings.replace_confusables(body.current_thread.text),
21 '.*[ilo0-9]{3}\.[ilo0-9]{3}\.[ilo0-9]{4}.*\n'
22 )
23 or // 202-800-1238
24 regex.icontains(strings.replace_confusables(body.current_thread.text),
25 '.*[ilo0-9]{3}-[ilo0-9]{3}-[ilo0-9]{4}.*\n'
26 )
27 or // (202) 800-1238
28 regex.icontains(strings.replace_confusables(body.current_thread.text),
29 '.*\([ilo0-9]{3}\)[\s-]+[ilo0-9]{3}[\s-]+[ilo0-9]{4}.*\n'
30 )
31 or // (202)-800-1238
32 regex.icontains(strings.replace_confusables(body.current_thread.text),
33 '.*\([ilo0-9]{3}\)-[ilo0-9]{3}-[ilo0-9]{4}.*\n'
34 )
35 or ( // 8123456789
36 regex.icontains(strings.replace_confusables(body.current_thread.text),
37 '.*8[ilo0-9]{9}.*\n'
38 )
39 and regex.icontains(strings.replace_confusables(body.current_thread.text
40 ),
41 '\+[1l]'
42 )
43 )
44 )
45 and (
46 (
47 // list of keywords taken from
48 // https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/paypal_invoice_abuse.yml
49 4 of (
50 strings.ilike(body.html.inner_text, '*you did not*'),
51 strings.ilike(body.html.inner_text, '*is not for*'),
52 strings.ilike(body.html.inner_text, '*done by you*'),
53 regex.icontains(body.html.inner_text, "didn\'t ma[kd]e this"),
54 strings.ilike(body.html.inner_text, "*Fruad Alert*"),
55 strings.ilike(body.html.inner_text, "*Fraud Alert*"),
56 strings.ilike(body.html.inner_text, '*using your PayPal*'),
57 strings.ilike(body.html.inner_text, '*subscription*'),
58 strings.ilike(body.html.inner_text, '*antivirus*'),
59 strings.ilike(body.html.inner_text, '*order*'),
60 strings.ilike(body.html.inner_text, '*support*'),
61 strings.ilike(body.html.inner_text, '*receipt*'),
62 strings.ilike(body.html.inner_text, '*invoice*'),
63 strings.ilike(body.html.inner_text, '*Purchase*'),
64 strings.ilike(body.html.inner_text, '*transaction*'),
65 strings.ilike(body.html.inner_text, '*Market*Value*'),
66 strings.ilike(body.html.inner_text, '*BTC*'),
67 strings.ilike(body.html.inner_text, '*call*'),
68 strings.ilike(body.html.inner_text, '*get in touch with our*'),
69 strings.ilike(body.html.inner_text, '*quickly inform*'),
70 strings.ilike(body.html.inner_text, '*quickly reach *'),
71 strings.ilike(body.html.inner_text, '*detected unusual transactions*'),
72 strings.ilike(body.html.inner_text, '*cancel*'),
73 strings.ilike(body.html.inner_text, '*renew*'),
74 strings.ilike(body.html.inner_text, '*refund*'),
75 strings.ilike(body.html.inner_text, '*+1*'),
76 regex.icontains(body.html.inner_text, 'help.{0,3}desk'),
77 )
78 )
79 )
80 )
81 or (
82 // Unicode confusables words obfuscated in note
83 regex.icontains(body.html.inner_text,
84 '\+๐ญ|๐ฝ๐ฎ๐๐บ๐ฒ๐ป๐|๐๐ฒ๐น๐ฝ ๐๐ฒ๐๐ธ|๐ฟ๐ฒ๐ณ๐๐ป๐ฑ|๐ฎ๐ป๐๐ถ๐๐ถ๐ฟ๐๐|๐ฐ๐ฎ๐น๐น|๐ฐ๐ฎ๐ป๐ฐ๐ฒ๐น'
85 )
86 )
87 or strings.ilike(body.html.inner_text, '*kindly*')
88 )
89attack_types:
90 - "Callback Phishing"
91 - "BEC/Fraud"
92tactics_and_techniques:
93 - "Evasion"
94 - "Social engineering"
95detection_methods:
96 - "Sender analysis"
97 - "Header analysis"
98 - "Content analysis"
99id: "b7fb174c-c5a0-567a-8090-6ca142d94562"