Attachment: Callback Phishing solicitation via image file
A fraudulent invoice/receipt found in an image attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
Sublime rule (View on GitHub)
1name: "Attachment: Callback Phishing solicitation via image file"
2description: |
3 A fraudulent invoice/receipt found in an image attachment.
4 Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number.
5 The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
6type: "rule"
7authors:
8 - twitter: "vector_sec"
9severity: "high"
10source: |
11 type.inbound
12 and (
13 (
14 sender.email.domain.root_domain in $free_email_providers
15 and sender.email.email not in $recipient_emails
16 )
17 or (
18 sender.email.domain.root_domain not in $free_email_providers
19 and sender.email.domain.domain not in $recipient_domains
20 )
21 )
22 and sender.email.domain.root_domain in $free_email_providers
23 and any(attachments,
24 .file_type in $file_types_images
25 and any(file.explode(.),
26 4 of (
27 strings.icontains(.scan.ocr.raw, "purchase"),
28 strings.icontains(.scan.ocr.raw, "subscription"),
29 strings.icontains(.scan.ocr.raw, "antivirus"),
30 strings.icontains(.scan.ocr.raw, "order"),
31 strings.icontains(.scan.ocr.raw, "support"),
32 strings.icontains(.scan.ocr.raw, "receipt"),
33 strings.icontains(.scan.ocr.raw, "amount"),
34 strings.icontains(.scan.ocr.raw, "charged"),
35 strings.icontains(.scan.ocr.raw, "invoice"),
36 strings.icontains(.scan.ocr.raw, "call"),
37 strings.icontains(.scan.ocr.raw, "cancel"),
38 strings.icontains(.scan.ocr.raw, "renew"),
39 strings.icontains(.scan.ocr.raw, "refund"),
40 strings.icontains(.scan.ocr.raw, "+1")
41 )
42 )
43 and any(file.explode(.),
44 strings.ilike(.scan.ocr.raw,
45 "*geek squad*",
46 "*lifelock*",
47 "*best buy*",
48 "*mcafee*",
49 "*norton*",
50 "*ebay*",
51 "*paypal*",
52 "*secure anywhere*"
53 )
54 )
55 )
56attack_types:
57 - "Callback Phishing"
58tactics_and_techniques:
59 - "Evasion"
60 - "Free email provider"
61 - "Out of band pivot"
62 - "Social engineering"
63 - "Image as content"
64detection_methods:
65 - "Content analysis"
66 - "Optical Character Recognition"
67 - "Sender analysis"
68 - "URL analysis"
69 - "Computer Vision"
70id: "60acbb36-8ed1-562e-8027-260c2fdf0f04"