Attachment: Callback phishing solicitation via text-based file
Callback Phishing via a text-based file attachment and a short body and subject from an unknown sender.
Sublime rule (View on GitHub)
1name: "Attachment: Callback phishing solicitation via text-based file"
2description: "Callback Phishing via a text-based file attachment and a short body and subject from an unknown sender."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(subject.subject) <= 10
8 // there are no links, all the links are to aka.ms, or an extraction from a warning banner that match the senders domain
9 and (
10 length(body.links) == 0
11 or length(filter(body.links,
12 (
13 .display_text is null
14 and .display_url.url == sender.email.domain.root_domain
15 )
16 or .href_url.domain.domain == "aka.ms"
17 or network.whois(.display_url.domain).days_old < 30
18 )
19 ) == length(body.links)
20 )
21 and (body.current_thread.text is null or length(body.current_thread.text) < 50)
22 and 0 < length(attachments) < 4
23 and any(attachments,
24 (
25 .content_type == "text/plain"
26 or .file_type in ("doc", "docx", "xls", "xlsx")
27 )
28 and any(file.explode(.),
29 (.depth == 0 or .flavors.mime == "text/plain")
30 // 4 of the following strings are found
31 and 4 of (
32 // this section is synced with attachment_callback_phish_with_pdf.yml and body_callback_phishing_no_attachment.yml
33 strings.icontains(.scan.strings.raw, "purchase"),
34 strings.icontains(.scan.strings.raw, "payment"),
35 strings.icontains(.scan.strings.raw, "transaction"),
36 strings.icontains(.scan.strings.raw, "subscription"),
37 strings.icontains(.scan.strings.raw, "antivirus"),
38 strings.icontains(.scan.strings.raw, "order"),
39 strings.icontains(.scan.strings.raw, "support"),
40 strings.icontains(.scan.strings.raw, "help line"),
41 strings.icontains(.scan.strings.raw, "receipt"),
42 strings.icontains(.scan.strings.raw, "invoice"),
43 strings.icontains(.scan.strings.raw, "call"),
44 strings.icontains(.scan.strings.raw, "helpdesk"),
45 strings.icontains(.scan.strings.raw, "cancel"),
46 strings.icontains(.scan.strings.raw, "renew"),
47 strings.icontains(.scan.strings.raw, "refund"),
48 regex.icontains(.scan.strings.raw, "(?:reach|contact) us at"),
49 strings.icontains(.scan.strings.raw, "+1"),
50 strings.icontains(.scan.strings.raw, "amount"),
51 strings.icontains(.scan.strings.raw, "charged"),
52 strings.icontains(.scan.strings.raw, "crypto"),
53 strings.icontains(.scan.strings.raw, "wallet address"),
54 regex.icontains(.scan.strings.raw, '\$\d{3}\.\d{2}\b'),
55 regex.icontains(.scan.strings.raw,
56 '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
57 '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
58 ),
59 )
60 // this section is synced with attachment_callback_phish_with_pdf.yml and body_callback_phishing_no_attachment.yml
61 and regex.icontains(.scan.strings.raw,
62 '(p.{0,3}a.{0,3}y.{0,3}p.{0,3}a.{0,3}l|ma?c.?fee|n[o0]rt[o0]n|geek.{0,5}squad|ebay|symantec|best buy|lifel[o0]c|secure anywhere|starz|utilities premium|pc security|at&t)'
63 )
64 )
65 )
66 and profile.by_sender().prevalence != "common"
67 and not profile.by_sender().solicited
68 and not profile.by_sender().any_messages_benign
69
70 // negate highly trusted sender domains unless they fail DMARC authentication
71 and (
72 (
73 sender.email.domain.root_domain in $high_trust_sender_root_domains
74 and (
75 any(distinct(headers.hops, .authentication_results.dmarc is not null),
76 strings.ilike(.authentication_results.dmarc, "*fail")
77 )
78 )
79 )
80 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
81 )
82
83attack_types:
84 - "Callback Phishing"
85tactics_and_techniques:
86 - "Evasion"
87 - "Out of band pivot"
88 - "Social engineering"
89detection_methods:
90 - "Content analysis"
91 - "File analysis"
92 - "Header analysis"
93 - "Sender analysis"
94id: "ca39c83a-b308-532d-894b-528bdaef2748"