Attachment: Callback Phishing solicitation via image file

A fraudulent invoice/receipt found in an image attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Sublime rule (View on GitHub)

 1name: "Attachment: Callback Phishing solicitation via image file"
 2description: |
 3  A fraudulent invoice/receipt found in an image attachment.
 4  Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. 
 5  The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.  
 6type: "rule"
 7authors:
 8  - twitter: "vector_sec"
 9severity: "high"
10source: |
11  type.inbound
12  and (
13    (
14      sender.email.domain.root_domain in $free_email_providers
15      and sender.email.email not in $recipient_emails
16    )
17    or (
18      sender.email.domain.root_domain not in $free_email_providers
19      and sender.email.domain.domain not in $recipient_domains
20    )
21  )
22  and sender.email.domain.root_domain in $free_email_providers
23  and any(attachments,
24          .file_type in $file_types_images
25          and any(file.explode(.),
26                  4 of (
27                    strings.icontains(.scan.ocr.raw, "purchase"),
28                    strings.icontains(.scan.ocr.raw, "subscription"),
29                    strings.icontains(.scan.ocr.raw, "antivirus"),
30                    strings.icontains(.scan.ocr.raw, "order"),
31                    strings.icontains(.scan.ocr.raw, "support"),
32                    strings.icontains(.scan.ocr.raw, "receipt"),
33                    strings.icontains(.scan.ocr.raw, "amount"),
34                    strings.icontains(.scan.ocr.raw, "charged"),
35                    strings.icontains(.scan.ocr.raw, "invoice"),
36                    strings.icontains(.scan.ocr.raw, "call"),
37                    strings.icontains(.scan.ocr.raw, "cancel"),
38                    strings.icontains(.scan.ocr.raw, "renew"),
39                    strings.icontains(.scan.ocr.raw, "refund"),
40                    strings.icontains(.scan.ocr.raw, "+1")
41                  )
42          )
43          and any(file.explode(.),
44                  strings.ilike(.scan.ocr.raw,
45                                "*geek squad*",
46                                "*lifelock*",
47                                "*best buy*",
48                                "*mcafee*",
49                                "*norton*",
50                                "*ebay*",
51                                "*paypal*",
52                                "*secure anywhere*"
53                  )
54          )
55  )  
56attack_types:
57  - "Callback Phishing"
58tactics_and_techniques:
59  - "Evasion"
60  - "Free email provider"
61  - "Out of band pivot"
62  - "Social engineering"
63  - "Image as content"
64detection_methods:
65  - "Content analysis"
66  - "Optical Character Recognition"
67  - "Sender analysis"
68  - "URL analysis"
69  - "Computer Vision"
70id: "60acbb36-8ed1-562e-8027-260c2fdf0f04"
to-top