Attachment: Callback Phishing solicitation via text file with a large unknown recipient list

calendar Apr 8, 2024  ·
Share on: linkedin copy

Callback Phishing via text file attachment, with a large number of recipients that are unknown to the organization, and a short body and subject from an unknown sender.

Sublime rule (View on GitHub)

 1name: "Attachment: Callback Phishing solicitation via text file with a large unknown recipient list"
 2description: "Callback Phishing via text file attachment, with a large number of recipients that are unknown to the organization, and a short body and subject from an unknown sender."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    length(recipients.to) > 10
 9    and length(filter(recipients.to,
10                      .email.domain.domain not in $org_domains
11                      and .email.email not in $recipient_emails
12                      and (
13                        .email.domain.valid
14                        or strings.icontains(.display_name, "undisclosed")
15                      )
16               )
17    ) >= 10
18  )
19  and length(subject.subject) <= 10
20  and length(body.links) == 0
21  and (body.current_thread.text is null or length(body.current_thread.text) < 50)
22  and 0 < length(attachments) < 4
23  and any(attachments,
24          .content_type == "text/plain"
25          and any(file.explode(.),
26                  any(.scan.strings.strings,
27                      strings.ilike(.,
28                                    "*mcafee*",
29                                    "*norton*",
30                                    "*geek squad*",
31                                    "*paypal*",
32                                    "*ebay*",
33                                    "*symantec*",
34                                    "*best buy*",
35                                    "*lifelock*"
36                      )
37                      and any(..scan.strings.strings,
38                              regex.icontains(.,
39                                              '\b\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}\b'
40                              )
41                      )
42                  )
43          )
44  )
45  and profile.by_sender().prevalence != "common"
46  and not profile.by_sender().solicited
47  and not profile.by_sender().any_false_positives
48  
49  // negate highly trusted sender domains unless they fail DMARC authentication
50  and (
51    (
52      sender.email.domain.root_domain in $high_trust_sender_root_domains
53      and (
54        any(distinct(headers.hops, .authentication_results.dmarc is not null),
55            strings.ilike(.authentication_results.dmarc, "*fail")
56        )
57      )
58    )
59    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
60  )
61    
62
63attack_types:
64  - "Callback Phishing"
65tactics_and_techniques:
66  - "Evasion"
67  - "Out of band pivot"
68  - "Social engineering"
69detection_methods:
70  - "Content analysis"
71  - "File analysis"
72  - "Header analysis"
73  - "Sender analysis"
74
75id: "ca39c83a-b308-532d-894b-528bdaef2748"
to-top