Attachment: Callback Phishing solicitation via image file

calendar Apr 2, 2024  ·
Share on: linkedin copy

A fraudulent invoice/receipt found in an image attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Sublime rule (View on GitHub)

 1name: "Attachment: Callback Phishing solicitation via image file"
 2description: |
 3  A fraudulent invoice/receipt found in an image attachment.
 4  Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. 
 5  The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.  
 6type: "rule"
 7authors:
 8  - twitter: "vector_sec"
 9severity: "high"
10source: |
11  type.inbound
12  and (
13    not profile.by_sender().solicited
14    or (
15      profile.by_sender().any_messages_malicious_or_spam
16      and not profile.by_sender().any_false_positives
17    )
18  )
19  and (
20    sender.email.domain.root_domain in $free_email_providers
21    or sender.email.domain.root_domain in ("onmicrosoft.com")
22  )
23  and any(attachments,
24          // exclude images taken with mobile cameras and screenshots from android
25          .file_type in $file_types_images
26          and any(file.explode(.),
27                  not any(.scan.exiftool.fields,
28                          .key == "Model"
29                          or (
30                            .key == "Software"
31                            and strings.starts_with(.value, "Android")
32                          )
33                  )
34                  // exclude images taken with mobile cameras and screenshots from Apple
35                  and not any(.scan.exiftool.fields,
36                              .key == "DeviceManufacturer"
37                              and .value == "Apple Computer Inc."
38                  )
39                  and 4 of (
40                    strings.icontains(.scan.ocr.raw, "purchase"),
41                    strings.icontains(.scan.ocr.raw, "subscription"),
42                    strings.icontains(.scan.ocr.raw, "antivirus"),
43                    strings.icontains(.scan.ocr.raw, "order"),
44                    strings.icontains(.scan.ocr.raw, "support"),
45                    strings.icontains(.scan.ocr.raw, "receipt"),
46                    strings.icontains(.scan.ocr.raw, "amount"),
47                    strings.icontains(.scan.ocr.raw, "charged"),
48                    strings.icontains(.scan.ocr.raw, "invoice"),
49                    strings.icontains(.scan.ocr.raw, "call"),
50                    strings.icontains(.scan.ocr.raw, "cancel"),
51                    strings.icontains(.scan.ocr.raw, "renew"),
52                    strings.icontains(.scan.ocr.raw, "refund"),
53                    strings.icontains(.scan.ocr.raw, "+1")
54                  )
55          )
56          and any(file.explode(.),
57                  strings.ilike(.scan.ocr.raw,
58                                "*geek squad*",
59                                "*lifelock*",
60                                "*best buy*",
61                                "*mcafee*",
62                                "*norton*",
63                                "*ebay*",
64                                "*paypal*",
65                                "*secure anywhere*"
66                  )
67          )
68  )  
69attack_types:
70  - "Callback Phishing"
71tactics_and_techniques:
72  - "Evasion"
73  - "Free email provider"
74  - "Out of band pivot"
75  - "Social engineering"
76  - "Image as content"
77detection_methods:
78  - "Content analysis"
79  - "Optical Character Recognition"
80  - "Sender analysis"
81  - "URL analysis"
82  - "Computer Vision"
83id: "60acbb36-8ed1-562e-8027-260c2fdf0f04"
to-top