Attachment: Callback phishing solicitation via text-based file

Callback Phishing via a text-based file attachment and a short body and subject from an unknown sender.

Sublime rule (View on GitHub)

 1name: "Attachment: Callback phishing solicitation via text-based file"
 2description: "Callback Phishing via a text-based file attachment and a short body and subject from an unknown sender."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(subject.subject) <= 10
 8  // there are no links, all the links are to aka.ms, or an extraction from a warning banner that match the senders domain
 9  and (
10    length(body.links) == 0
11    or length(filter(body.links,
12                     (
13                       .display_text is null
14                       and .display_url.url == sender.email.domain.root_domain
15                     )
16                     or .href_url.domain.domain == "aka.ms"
17                     or network.whois(.display_url.domain).days_old < 30
18              )
19    ) == length(body.links)
20  )
21  and (body.current_thread.text is null or length(body.current_thread.text) < 50)
22  and 0 < length(attachments) < 4
23  and any(attachments,
24          (.content_type == "text/plain" or .file_type in ("doc", "docx"))
25          and any(file.explode(.),
26                  (.depth == 0 or .flavors.mime == "text/plain")
27                  and any(.scan.strings.strings,
28                          strings.ilike(.,
29                                        "*mcafee*",
30                                        "*norton*",
31                                        "*geek squad*",
32                                        "*paypal*",
33                                        "*ebay*",
34                                        "*symantec*",
35                                        "*best buy*",
36                                        "*lifelock*",
37                                        "*geek total*"
38                          )
39                          and any(..scan.strings.strings,
40                                  regex.icontains(.,
41                                                  '\b\+?(\d{1}.)?\(?\d{3}?\)?.~?.?\d{3}.?~?.\d{4}\b',
42                                                  '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
43                                                  '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
44                                  )
45                          )
46                  )
47          )
48  )
49  and profile.by_sender().prevalence != "common"
50  and not profile.by_sender().solicited
51  and not profile.by_sender().any_messages_benign
52  
53  // negate highly trusted sender domains unless they fail DMARC authentication
54  and (
55    (
56      sender.email.domain.root_domain in $high_trust_sender_root_domains
57      and (
58        any(distinct(headers.hops, .authentication_results.dmarc is not null),
59            strings.ilike(.authentication_results.dmarc, "*fail")
60        )
61      )
62    )
63    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
64  )  
65
66attack_types:
67  - "Callback Phishing"
68tactics_and_techniques:
69  - "Evasion"
70  - "Out of band pivot"
71  - "Social engineering"
72detection_methods:
73  - "Content analysis"
74  - "File analysis"
75  - "Header analysis"
76  - "Sender analysis"
77id: "ca39c83a-b308-532d-894b-528bdaef2748"
to-top