Attachment: Callback phishing solicitation via text-based file

Callback Phishing via a text-based file attachment and a short body and subject from an unknown sender.

Sublime rule (View on GitHub)

 1name: "Attachment: Callback phishing solicitation via text-based file"
 2description: "Callback Phishing via a text-based file attachment and a short body and subject from an unknown sender."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(subject.subject) <= 10
 8  // there are no links, all the links are to aka.ms, or an extraction from a warning banner that match the senders domain
 9  and (
10    length(body.links) == 0
11    or length(filter(body.links,
12                     (
13                       .display_text is null
14                       and .display_url.url == sender.email.domain.root_domain
15                     )
16                     or .href_url.domain.domain == "aka.ms"
17                     or network.whois(.display_url.domain).days_old < 30
18              )
19    ) == length(body.links)
20  )
21  and (body.current_thread.text is null or length(body.current_thread.text) < 50)
22  and 0 < length(attachments) < 4
23  and any(attachments,
24          (
25            .content_type == "text/plain"
26            or .file_type in ("doc", "docx", "xls", "xlsx")
27          )
28          and any(file.explode(.),
29                  (.depth == 0 or .flavors.mime == "text/plain")
30                  // 4 of the following strings are found        
31                  and 4 of (
32                    // this section is synced with attachment_callback_phish_with_pdf.yml and body_callback_phishing_no_attachment.yml
33                    strings.icontains(.scan.strings.raw, "purchase"),
34                    strings.icontains(.scan.strings.raw, "payment"),
35                    strings.icontains(.scan.strings.raw, "transaction"),
36                    strings.icontains(.scan.strings.raw, "subscription"),
37                    strings.icontains(.scan.strings.raw, "antivirus"),
38                    strings.icontains(.scan.strings.raw, "order"),
39                    strings.icontains(.scan.strings.raw, "support"),
40                    strings.icontains(.scan.strings.raw, "help line"),
41                    strings.icontains(.scan.strings.raw, "receipt"),
42                    strings.icontains(.scan.strings.raw, "invoice"),
43                    strings.icontains(.scan.strings.raw, "call"),
44                    strings.icontains(.scan.strings.raw, "helpdesk"),
45                    strings.icontains(.scan.strings.raw, "cancel"),
46                    strings.icontains(.scan.strings.raw, "renew"),
47                    strings.icontains(.scan.strings.raw, "refund"),
48                    regex.icontains(.scan.strings.raw, "(?:reach|contact) us at"),
49                    strings.icontains(.scan.strings.raw, "+1"),
50                    strings.icontains(.scan.strings.raw, "amount"),
51                    strings.icontains(.scan.strings.raw, "charged"),
52                    strings.icontains(.scan.strings.raw, "crypto"),
53                    strings.icontains(.scan.strings.raw, "wallet address"),
54                    regex.icontains(.scan.strings.raw, '\$\d{3}\.\d{2}\b'),
55                    regex.icontains(.scan.strings.raw,
56                                    '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
57                                    '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
58                    ),
59                  )
60                  // this section is synced with attachment_callback_phish_with_pdf.yml and body_callback_phishing_no_attachment.yml
61                  and regex.icontains(.scan.strings.raw,
62                                      '(p.{0,3}a.{0,3}y.{0,3}p.{0,3}a.{0,3}l|ma?c.?fee|n[o0]rt[o0]n|geek.{0,5}squad|ebay|symantec|best buy|lifel[o0]c|secure anywhere|starz|utilities premium|pc security|at&t)'
63                  )
64          )
65  )
66  and profile.by_sender().prevalence != "common"
67  and not profile.by_sender().solicited
68  and not profile.by_sender().any_messages_benign
69  
70  // negate highly trusted sender domains unless they fail DMARC authentication
71  and (
72    (
73      sender.email.domain.root_domain in $high_trust_sender_root_domains
74      and (
75        any(distinct(headers.hops, .authentication_results.dmarc is not null),
76            strings.ilike(.authentication_results.dmarc, "*fail")
77        )
78      )
79    )
80    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
81  )  
82
83attack_types:
84  - "Callback Phishing"
85tactics_and_techniques:
86  - "Evasion"
87  - "Out of band pivot"
88  - "Social engineering"
89detection_methods:
90  - "Content analysis"
91  - "File analysis"
92  - "Header analysis"
93  - "Sender analysis"
94id: "ca39c83a-b308-532d-894b-528bdaef2748"
to-top