Attachment: Callback Phishing solicitation via image file

 1name: "Attachment: Callback Phishing solicitation via image file"
 2description: |
 3  A fraudulent invoice/receipt found in an image attachment.
 4  Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. 
 5  The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.  
 6type: "rule"
 7authors:
 8  - twitter: "vector_sec"
 9severity: "high"
10source: |
11  type.inbound
12  and (
13    not profile.by_sender().solicited
14    or (
15      profile.by_sender().any_messages_malicious_or_spam
16      and not profile.by_sender().any_false_positives
17    )
18  )
19  and (
20    sender.email.domain.root_domain in $free_email_providers
21    or sender.email.domain.root_domain in ("onmicrosoft.com")
22    or (
23      (
24        length(recipients.to) == 0
25        or all(recipients.to, .display_name == "Undisclosed recipients")
26      )
27      and length(recipients.cc) == 0
28      and length(recipients.bcc) == 0
29    )
30  )
31  and any(attachments,
32          // exclude images taken with mobile cameras and screenshots from android
33          .file_type in $file_types_images
34          and any(file.explode(.),
35                  not any(.scan.exiftool.fields,
36                          .key == "Model"
37                          or (
38                            .key == "Software"
39                            and strings.starts_with(.value, "Android")
40                          )
41                  )
42                  // exclude images taken with mobile cameras and screenshots from Apple
43                  and not any(.scan.exiftool.fields,
44                              .key == "DeviceManufacturer"
45                              and .value == "Apple Computer Inc."
46                  )
47                  and not any(.scan.exiftool.fields,
48                            .key == "UserComment"
49                            and .value == "Screenshot"
50                  )
51                  and 4 of (
52                    strings.icontains(.scan.ocr.raw, "purchase"),
53                    strings.icontains(.scan.ocr.raw, "subscription"),
54                    strings.icontains(.scan.ocr.raw, "antivirus"),
55                    strings.icontains(.scan.ocr.raw, "order"),
56                    strings.icontains(.scan.ocr.raw, "support"),
57                    strings.icontains(.scan.ocr.raw, "receipt"),
58                    strings.icontains(.scan.ocr.raw, "amount"),
59                    strings.icontains(.scan.ocr.raw, "charged"),
60                    strings.icontains(.scan.ocr.raw, "invoice"),
61                    strings.icontains(.scan.ocr.raw, "call"),
62                    strings.icontains(.scan.ocr.raw, "cancel"),
63                    strings.icontains(.scan.ocr.raw, "renew"),
64                    strings.icontains(.scan.ocr.raw, "refund"),
65                    strings.icontains(.scan.ocr.raw, "+1")
66                  )
67          )
68          and any(file.explode(.),
69                  strings.ilike(.scan.ocr.raw,
70                                "*geek squad*",
71                                "*lifelock*",
72                                "*best buy*",
73                                "*mcafee*",
74                                "*norton*",
75                                "*ebay*",
76                                "*paypal*",
77                                "*secure anywhere*"
78                  )
79          )
80  )  
81attack_types:
82  - "Callback Phishing"
83tactics_and_techniques:
84  - "Evasion"
85  - "Free email provider"
86  - "Out of band pivot"
87  - "Social engineering"
88  - "Image as content"
89detection_methods:
90  - "Content analysis"
91  - "Optical Character Recognition"
92  - "Sender analysis"
93  - "URL analysis"
94  - "Computer Vision"
95id: "60acbb36-8ed1-562e-8027-260c2fdf0f04"