Attachment: Callback phishing solicitation via text-based file
Callback Phishing via a text-based file attachment and a short body and subject from an unknown sender.
Sublime rule (View on GitHub)
1name: "Attachment: Callback phishing solicitation via text-based file"
2description: "Callback Phishing via a text-based file attachment and a short body and subject from an unknown sender."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(subject.subject) <= 10
8 // there are no links, all the links are to aka.ms, or an extraction from a warning banner that match the senders domain
9 and (
10 length(body.links) == 0
11 or length(filter(body.links,
12 (
13 .display_text is null
14 and .display_url.url == sender.email.domain.root_domain
15 )
16 or .href_url.domain.domain == "aka.ms"
17 or network.whois(.display_url.domain).days_old < 30
18 )
19 ) == length(body.links)
20 )
21 and (body.current_thread.text is null or length(body.current_thread.text) < 50)
22 and 0 < length(attachments) < 4
23 and any(attachments,
24 (.content_type == "text/plain" or .file_type in ("doc", "docx"))
25 and any(file.explode(.),
26 (.depth == 0 or .flavors.mime == "text/plain")
27 and any(.scan.strings.strings,
28 strings.ilike(.,
29 "*mcafee*",
30 "*norton*",
31 "*geek squad*",
32 "*paypal*",
33 "*ebay*",
34 "*symantec*",
35 "*best buy*",
36 "*lifelock*",
37 "*geek total*"
38 )
39 and any(..scan.strings.strings,
40 regex.icontains(.,
41 '\b\+?(\d{1}.)?\(?\d{3}?\)?.~?.?\d{3}.?~?.\d{4}\b',
42 '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
43 '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
44 )
45 )
46 )
47 )
48 )
49 and profile.by_sender().prevalence != "common"
50 and not profile.by_sender().solicited
51 and not profile.by_sender().any_messages_benign
52
53 // negate highly trusted sender domains unless they fail DMARC authentication
54 and (
55 (
56 sender.email.domain.root_domain in $high_trust_sender_root_domains
57 and (
58 any(distinct(headers.hops, .authentication_results.dmarc is not null),
59 strings.ilike(.authentication_results.dmarc, "*fail")
60 )
61 )
62 )
63 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
64 )
65
66attack_types:
67 - "Callback Phishing"
68tactics_and_techniques:
69 - "Evasion"
70 - "Out of band pivot"
71 - "Social engineering"
72detection_methods:
73 - "Content analysis"
74 - "File analysis"
75 - "Header analysis"
76 - "Sender analysis"
77id: "ca39c83a-b308-532d-894b-528bdaef2748"