Attachment: Callback Phishing solicitation via text file with a large unknown recipient list
Callback Phishing via text file attachment, with a large number of recipients that are unknown to the organization, and a short body and subject from an unknown sender.
Sublime rule (View on GitHub)
1name: "Attachment: Callback Phishing solicitation via text file with a large unknown recipient list"
2description: "Callback Phishing via text file attachment, with a large number of recipients that are unknown to the organization, and a short body and subject from an unknown sender."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 length(recipients.to) > 10
9 and length(filter(recipients.to,
10 .email.domain.domain not in $org_domains
11 and .email.email not in $recipient_emails
12 and (
13 .email.domain.valid
14 or strings.icontains(.display_name, "undisclosed")
15 )
16 )
17 ) >= 10
18 )
19 and length(subject.subject) <= 10
20 and length(body.links) == 0
21 and (body.current_thread.text is null or length(body.current_thread.text) < 50)
22 and 0 < length(attachments) < 4
23 and any(attachments,
24 .content_type == "text/plain"
25 and any(file.explode(.),
26 any(.scan.strings.strings,
27 strings.ilike(.,
28 "*mcafee*",
29 "*norton*",
30 "*geek squad*",
31 "*paypal*",
32 "*ebay*",
33 "*symantec*",
34 "*best buy*",
35 "*lifelock*"
36 )
37 and any(..scan.strings.strings,
38 regex.icontains(.,
39 '\b\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}\b'
40 )
41 )
42 )
43 )
44 )
45 and profile.by_sender().prevalence != "common"
46 and not profile.by_sender().solicited
47 and not profile.by_sender().any_false_positives
48
49 // negate highly trusted sender domains unless they fail DMARC authentication
50 and (
51 (
52 sender.email.domain.root_domain in $high_trust_sender_root_domains
53 and (
54 any(distinct(headers.hops, .authentication_results.dmarc is not null),
55 strings.ilike(.authentication_results.dmarc, "*fail")
56 )
57 )
58 )
59 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
60 )
61
62
63attack_types:
64 - "Callback Phishing"
65tactics_and_techniques:
66 - "Evasion"
67 - "Out of band pivot"
68 - "Social engineering"
69detection_methods:
70 - "Content analysis"
71 - "File analysis"
72 - "Header analysis"
73 - "Sender analysis"
74
75id: "ca39c83a-b308-532d-894b-528bdaef2748"