Attachment: Callback Phishing solicitation via image file
A fraudulent invoice/receipt found in an image attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
Sublime rule (View on GitHub)
1name: "Attachment: Callback Phishing solicitation via image file"
2description: |
3 A fraudulent invoice/receipt found in an image attachment.
4 Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number.
5 The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
6type: "rule"
7authors:
8 - twitter: "vector_sec"
9severity: "high"
10source: |
11 type.inbound
12 and (
13 not profile.by_sender().solicited
14 or (
15 profile.by_sender().any_messages_malicious_or_spam
16 and not profile.by_sender().any_false_positives
17 )
18 )
19 and (
20 sender.email.domain.root_domain in $free_email_providers
21 or sender.email.domain.root_domain in ("onmicrosoft.com")
22 )
23 and any(attachments,
24 // exclude images taken with mobile cameras and screenshots from android
25 .file_type in $file_types_images
26 and any(file.explode(.),
27 not any(.scan.exiftool.fields,
28 .key == "Model"
29 or (
30 .key == "Software"
31 and strings.starts_with(.value, "Android")
32 )
33 )
34 // exclude images taken with mobile cameras and screenshots from Apple
35 and not any(.scan.exiftool.fields,
36 .key == "DeviceManufacturer"
37 and .value == "Apple Computer Inc."
38 )
39 and 4 of (
40 strings.icontains(.scan.ocr.raw, "purchase"),
41 strings.icontains(.scan.ocr.raw, "subscription"),
42 strings.icontains(.scan.ocr.raw, "antivirus"),
43 strings.icontains(.scan.ocr.raw, "order"),
44 strings.icontains(.scan.ocr.raw, "support"),
45 strings.icontains(.scan.ocr.raw, "receipt"),
46 strings.icontains(.scan.ocr.raw, "amount"),
47 strings.icontains(.scan.ocr.raw, "charged"),
48 strings.icontains(.scan.ocr.raw, "invoice"),
49 strings.icontains(.scan.ocr.raw, "call"),
50 strings.icontains(.scan.ocr.raw, "cancel"),
51 strings.icontains(.scan.ocr.raw, "renew"),
52 strings.icontains(.scan.ocr.raw, "refund"),
53 strings.icontains(.scan.ocr.raw, "+1")
54 )
55 )
56 and any(file.explode(.),
57 strings.ilike(.scan.ocr.raw,
58 "*geek squad*",
59 "*lifelock*",
60 "*best buy*",
61 "*mcafee*",
62 "*norton*",
63 "*ebay*",
64 "*paypal*",
65 "*secure anywhere*"
66 )
67 )
68 )
69attack_types:
70 - "Callback Phishing"
71tactics_and_techniques:
72 - "Evasion"
73 - "Free email provider"
74 - "Out of band pivot"
75 - "Social engineering"
76 - "Image as content"
77detection_methods:
78 - "Content analysis"
79 - "Optical Character Recognition"
80 - "Sender analysis"
81 - "URL analysis"
82 - "Computer Vision"
83id: "60acbb36-8ed1-562e-8027-260c2fdf0f04"