Attachment: Callback Phishing solicitation via image file

 1name: "Attachment: Callback Phishing solicitation via image file"
 2description: |
 3  A fraudulent invoice/receipt found in an image attachment.
 4  Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. 
 5  The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.  
 6type: "rule"
 7authors:
 8  - twitter: "vector_sec"
 9severity: "high"
10source: |
11  type.inbound
12  and (
13    not profile.by_sender().solicited
14    or (
15      profile.by_sender().any_messages_malicious_or_spam
16      and not profile.by_sender().any_false_positives
17    )
18  )
19  and (
20    sender.email.domain.root_domain in $free_email_providers
21    or sender.email.domain.root_domain in ("onmicrosoft.com")
22    or (
23      (
24        length(recipients.to) == 0
25        or all(recipients.to, .display_name == "Undisclosed recipients")
26      )
27      and length(recipients.cc) == 0
28      and length(recipients.bcc) == 0
29    )
30  )
31  and any(attachments,
32          // exclude images taken with mobile cameras and screenshots from android
33          .file_type in $file_types_images
34          and any(file.explode(.),
35                  not any(.scan.exiftool.fields,
36                          .key == "Model"
37                          or (
38                            .key == "Software"
39                            and strings.starts_with(.value, "Android")
40                          )
41                  )
42                  // exclude images taken with mobile cameras and screenshots from Apple
43                  and not any(.scan.exiftool.fields,
44                              .key == "DeviceManufacturer"
45                              and .value == "Apple Computer Inc."
46                  )
47                  and not any(.scan.exiftool.fields,
48                              .key == "UserComment" and .value == "Screenshot"
49                  )
50                  and 4 of (
51                    strings.icontains(.scan.ocr.raw, "purchase"),
52                    strings.icontains(.scan.ocr.raw, "subscription"),
53                    strings.icontains(.scan.ocr.raw, "antivirus"),
54                    strings.icontains(.scan.ocr.raw, "order"),
55                    strings.icontains(.scan.ocr.raw, "support"),
56                    strings.icontains(.scan.ocr.raw, "receipt"),
57                    strings.icontains(.scan.ocr.raw, "amount"),
58                    strings.icontains(.scan.ocr.raw, "charged"),
59                    strings.icontains(.scan.ocr.raw, "invoice"),
60                    strings.icontains(.scan.ocr.raw, "call"),
61                    strings.icontains(.scan.ocr.raw, "cancel"),
62                    strings.icontains(.scan.ocr.raw, "renew"),
63                    strings.icontains(.scan.ocr.raw, "refund"),
64                    strings.icontains(.scan.ocr.raw, "+1")
65                  )
66          )
67          and any(file.explode(.),
68                  regex.icontains(.scan.ocr.raw,
69                                  'p.{0,3}a.{0,3}y.{0,3}p.{0,3}a.{0,3}l|mcafee|n[o0]rt[o0]n|geek.{0,5}squad|ebay|symantec|best buy|lifel[o0]c|secure anywhere'
70                  )
71          )
72  )  
73attack_types:
74  - "Callback Phishing"
75tactics_and_techniques:
76  - "Evasion"
77  - "Free email provider"
78  - "Out of band pivot"
79  - "Social engineering"
80  - "Image as content"
81detection_methods:
82  - "Content analysis"
83  - "Optical Character Recognition"
84  - "Sender analysis"
85  - "URL analysis"
86  - "Computer Vision"
87id: "60acbb36-8ed1-562e-8027-260c2fdf0f04"