Attachment: Callback Phishing solicitation via text-based file with a large unknown recipient list

calendar Jul 26, 2024  ·
Share on: linkedin copy

Callback Phishing via text-based file attachment, with a large number of recipients that are unknown to the organization, and a short body and subject from an unknown sender.

Sublime rule (View on GitHub)

 1name: "Attachment: Callback Phishing solicitation via text-based file with a large unknown recipient list"
 2description: "Callback Phishing via text-based file attachment, with a large number of recipients that are unknown to the organization, and a short body and subject from an unknown sender."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    length(recipients.to) > 10
 9    and length(filter(recipients.to,
10                      .email.domain.domain not in $org_domains
11                      and .email.email not in $recipient_emails
12                      and (
13                        .email.domain.valid
14                        or strings.icontains(.display_name, "undisclosed")
15                      )
16               )
17    ) >= 10
18  )
19  and length(subject.subject) <= 10
20  // there are no links, all the links are to aka.ms, or an extraction from a warning banner that match the senders domain
21  and (
22    length(body.links) == 0
23    or length(filter(body.links,
24                     (
25                       .display_text is null
26                       and .display_url.url == sender.email.domain.root_domain
27                     )
28                     or .href_url.domain.domain == "aka.ms"
29                     or network.whois(.display_url.domain).days_old < 30
30              )
31    ) == length(body.links)
32  )
33  and (body.current_thread.text is null or length(body.current_thread.text) < 50)
34  and 0 < length(attachments) < 4
35  and any(attachments,
36          (.content_type == "text/plain" or .file_type in ("doc", "docx"))
37          and any(file.explode(.),
38                  (.depth == 0 or (.depth == 1 and .flavors.mime == "text/plain"))
39                  and any(.scan.strings.strings,
40                          strings.ilike(.,
41                                        "*mcafee*",
42                                        "*norton*",
43                                        "*geek squad*",
44                                        "*paypal*",
45                                        "*ebay*",
46                                        "*symantec*",
47                                        "*best buy*",
48                                        "*lifelock*",
49                                        "*geek total*"
50                          )
51                          and any(..scan.strings.strings,
52                                  regex.icontains(.,
53                                                  '\b\+?(\d{1}.)?\(?\d{3}?\)?.~?.?\d{3}.?~?.\d{4}\b'
54                                  )
55                          )
56                  )
57          )
58  )
59  and profile.by_sender().prevalence != "common"
60  and not profile.by_sender().solicited
61  and not profile.by_sender().any_false_positives
62  
63  // negate highly trusted sender domains unless they fail DMARC authentication
64  and (
65    (
66      sender.email.domain.root_domain in $high_trust_sender_root_domains
67      and (
68        any(distinct(headers.hops, .authentication_results.dmarc is not null),
69            strings.ilike(.authentication_results.dmarc, "*fail")
70        )
71      )
72    )
73    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
74  )
75    
76
77attack_types:
78  - "Callback Phishing"
79tactics_and_techniques:
80  - "Evasion"
81  - "Out of band pivot"
82  - "Social engineering"
83detection_methods:
84  - "Content analysis"
85  - "File analysis"
86  - "Header analysis"
87  - "Sender analysis"
88
89id: "ca39c83a-b308-532d-894b-528bdaef2748"
to-top