Attachment: Callback Phishing solicitation via image file
A fraudulent invoice/receipt found in an image attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
Sublime rule (View on GitHub)
1name: "Attachment: Callback Phishing solicitation via image file"
2description: |
3 A fraudulent invoice/receipt found in an image attachment.
4 Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number.
5 The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
6type: "rule"
7authors:
8 - twitter: "vector_sec"
9severity: "high"
10source: |
11 type.inbound
12 and (
13 not profile.by_sender().solicited
14 or (
15 profile.by_sender().any_messages_malicious_or_spam
16 and not profile.by_sender().any_false_positives
17 )
18 )
19 and (
20 sender.email.domain.root_domain in $free_email_providers
21 or sender.email.domain.root_domain in ("onmicrosoft.com")
22 or (
23 (
24 length(recipients.to) == 0
25 or all(recipients.to, .display_name == "Undisclosed recipients")
26 )
27 and length(recipients.cc) == 0
28 and length(recipients.bcc) == 0
29 )
30 )
31 and any(attachments,
32 // exclude images taken with mobile cameras and screenshots from android
33 .file_type in $file_types_images
34 and any(file.explode(.),
35 not any(.scan.exiftool.fields,
36 .key == "Model"
37 or (
38 .key == "Software"
39 and strings.starts_with(.value, "Android")
40 )
41 )
42 // exclude images taken with mobile cameras and screenshots from Apple
43 and not any(.scan.exiftool.fields,
44 .key == "DeviceManufacturer"
45 and .value == "Apple Computer Inc."
46 )
47 and not any(.scan.exiftool.fields,
48 .key == "UserComment"
49 and .value == "Screenshot"
50 )
51 and 4 of (
52 strings.icontains(.scan.ocr.raw, "purchase"),
53 strings.icontains(.scan.ocr.raw, "subscription"),
54 strings.icontains(.scan.ocr.raw, "antivirus"),
55 strings.icontains(.scan.ocr.raw, "order"),
56 strings.icontains(.scan.ocr.raw, "support"),
57 strings.icontains(.scan.ocr.raw, "receipt"),
58 strings.icontains(.scan.ocr.raw, "amount"),
59 strings.icontains(.scan.ocr.raw, "charged"),
60 strings.icontains(.scan.ocr.raw, "invoice"),
61 strings.icontains(.scan.ocr.raw, "call"),
62 strings.icontains(.scan.ocr.raw, "cancel"),
63 strings.icontains(.scan.ocr.raw, "renew"),
64 strings.icontains(.scan.ocr.raw, "refund"),
65 strings.icontains(.scan.ocr.raw, "+1")
66 )
67 )
68 and any(file.explode(.),
69 strings.ilike(.scan.ocr.raw,
70 "*geek squad*",
71 "*lifelock*",
72 "*best buy*",
73 "*mcafee*",
74 "*norton*",
75 "*ebay*",
76 "*paypal*",
77 "*secure anywhere*"
78 )
79 )
80 )
81attack_types:
82 - "Callback Phishing"
83tactics_and_techniques:
84 - "Evasion"
85 - "Free email provider"
86 - "Out of band pivot"
87 - "Social engineering"
88 - "Image as content"
89detection_methods:
90 - "Content analysis"
91 - "Optical Character Recognition"
92 - "Sender analysis"
93 - "URL analysis"
94 - "Computer Vision"
95id: "60acbb36-8ed1-562e-8027-260c2fdf0f04"