Attachment: Callback phishing solicitation via image file

calendar Jan 12, 2026  ·
Share on: linkedin copy

A fraudulent invoice/receipt found in an image attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Sublime rule (View on GitHub)

  1name: "Attachment: Callback phishing solicitation via image file"
  2description: |
  3  A fraudulent invoice/receipt found in an image attachment.
  4  Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. 
  5  The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.  
  6type: "rule"
  7authors:
  8  - twitter: "vector_sec"
  9severity: "high"
 10source: |
 11  type.inbound
 12  and (
 13    not profile.by_sender().solicited
 14    or (
 15      profile.by_sender().any_messages_malicious_or_spam
 16      and not profile.by_sender().any_messages_benign
 17    )
 18  )
 19  and not (subject.is_reply and headers.in_reply_to is not null)
 20  and not profile.by_sender_email().prevalence == "common"
 21  and (
 22    sender.email.domain.root_domain in $free_email_providers
 23    or sender.email.domain.root_domain in ("onmicrosoft.com")
 24    or (
 25      (
 26        length(recipients.to) == 0
 27        or all(recipients.to, .display_name == "Undisclosed recipients")
 28      )
 29      and length(recipients.cc) == 0
 30      and length(recipients.bcc) == 0
 31    )
 32  )
 33  and any(attachments,
 34          // exclude images taken with mobile cameras and screenshots from android
 35          .file_type in $file_types_images
 36          and (
 37            any(file.explode(.),
 38                not any(.scan.exiftool.fields,
 39                        .key == "Model"
 40                        or (
 41                          .key == "Software"
 42                          and strings.starts_with(.value, "Android")
 43                        )
 44                )
 45                // exclude images taken with mobile cameras and screenshots from Apple
 46                and not any(.scan.exiftool.fields,
 47                            .key == "DeviceManufacturer"
 48                            and .value == "Apple Computer Inc."
 49                )
 50                and not any(.scan.exiftool.fields,
 51                            .key == "UserComment" and .value == "Screenshot"
 52                )
 53                // 4 of the following strings are found        
 54                and 4 of (
 55                  // this section is synced with attachment_callback_phish_with_pdf.yml and body_callback_phishing_no_attachment.yml
 56                  strings.icontains(.scan.ocr.raw, "purchase"),
 57                  strings.icontains(.scan.ocr.raw, "payment"),
 58                  strings.icontains(.scan.ocr.raw, "transaction"),
 59                  strings.icontains(.scan.ocr.raw, "subscription"),
 60                  strings.icontains(.scan.ocr.raw, "antivirus"),
 61                  strings.icontains(.scan.ocr.raw, "order"),
 62                  strings.icontains(.scan.ocr.raw, "support"),
 63                  strings.icontains(.scan.ocr.raw, "help line"),
 64                  strings.icontains(.scan.ocr.raw, "receipt"),
 65                  strings.icontains(.scan.ocr.raw, "invoice"),
 66                  strings.icontains(.scan.ocr.raw, "call"),
 67                  strings.icontains(.scan.ocr.raw, "helpdesk"),
 68                  strings.icontains(.scan.ocr.raw, "cancel"),
 69                  strings.icontains(.scan.ocr.raw, "renew"),
 70                  strings.icontains(.scan.ocr.raw, "refund"),
 71                  regex.icontains(.scan.ocr.raw, "(?:reach|contact) us at"),
 72                  strings.icontains(.scan.ocr.raw, "+1"),
 73                  strings.icontains(.scan.ocr.raw, "amount"),
 74                  strings.icontains(.scan.ocr.raw, "charged"),
 75                  strings.icontains(.scan.ocr.raw, "crypto"),
 76                  strings.icontains(.scan.ocr.raw, "wallet address"),
 77                  regex.icontains(.scan.ocr.raw, '\$\d{3}\.\d{2}\b'),
 78                  regex.icontains(.scan.ocr.raw,
 79                                  '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
 80                                  '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
 81                  ),
 82                )
 83                // this section is synced with attachment_callback_phish_with_pdf.yml and body_callback_phishing_no_attachment.yml
 84                and regex.icontains(.scan.ocr.raw,
 85                                    '(p.{0,3}a.{0,3}y.{0,3}p.{0,3}a.{0,3}l|ma?c.?fee|n[o0]rt[o0]n|geek.{0,5}squad|ebay|symantec|best buy|lifel[o0]c|secure anywhere|starz|utilities premium|pc security|at&t)'
 86                )
 87            )
 88            // this section is synced with attachment_callback_phish_with_pdf.yml and body_callback_phishing_no_attachment.yml
 89            or any(ml.logo_detect(.).brands,
 90                   .name in (
 91                     "PayPal",
 92                     "Norton",
 93                     "GeekSquad",
 94                     "Ebay",
 95                     "McAfee",
 96                     "AT&T"
 97                   )
 98            )
 99          )
100  )  
101attack_types:
102  - "Callback Phishing"
103tactics_and_techniques:
104  - "Evasion"
105  - "Free email provider"
106  - "Out of band pivot"
107  - "Social engineering"
108  - "Image as content"
109detection_methods:
110  - "Content analysis"
111  - "Optical Character Recognition"
112  - "Sender analysis"
113  - "URL analysis"
114  - "Computer Vision"
115id: "60acbb36-8ed1-562e-8027-260c2fdf0f04"
to-top