Attachment: Callback Phishing solicitation via pdf file
A fraudulent invoice/receipt found in a pdf attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
Sublime rule (View on GitHub)
1name: "Attachment: Callback Phishing solicitation via pdf file"
2description: |
3 A fraudulent invoice/receipt found in a pdf attachment.
4 Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number.
5 The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and (
11 not profile.by_sender().solicited
12 or (
13 profile.by_sender().any_messages_malicious_or_spam
14 and not profile.by_sender().any_false_positives
15 )
16 )
17
18 // single attachment
19 and length(attachments) == 1
20
21 // sender is freemail
22 and sender.email.domain.root_domain in $free_email_providers
23
24 // the attachment is a pdf with less than 3 pages, and at least 60 ocr chars
25 and any(attachments,
26 (
27 .file_extension == "pdf"
28 and (
29 // get the length of the attached pdf
30 any(file.explode(.),
31 .depth == 0 and .scan.exiftool.page_count < 3
32 )
33 // check that any _single_ result in the file.explode matches these conditions
34 and any(file.explode(.),
35 length(.scan.ocr.raw) > 60
36 // 4 of the following strings are found
37 and (
38 4 of (
39 strings.icontains(.scan.ocr.raw, "purchase"),
40 strings.icontains(.scan.ocr.raw, "payment"),
41 strings.icontains(.scan.ocr.raw, "transaction"),
42 strings.icontains(.scan.ocr.raw, "subscription"),
43 strings.icontains(.scan.ocr.raw, "antivirus"),
44 strings.icontains(.scan.ocr.raw, "order"),
45 strings.icontains(.scan.ocr.raw, "support"),
46 strings.icontains(.scan.ocr.raw, "help line"),
47 strings.icontains(.scan.ocr.raw, "receipt"),
48 strings.icontains(.scan.ocr.raw, "invoice"),
49 strings.icontains(.scan.ocr.raw, "call"),
50 strings.icontains(.scan.ocr.raw, "helpdesk"),
51 strings.icontains(.scan.ocr.raw, "cancel"),
52 strings.icontains(.scan.ocr.raw, "renew"),
53 strings.icontains(.scan.ocr.raw, "refund"),
54 strings.icontains(.scan.ocr.raw, "amount"),
55 strings.icontains(.scan.ocr.raw, "crypto"),
56 strings.icontains(.scan.ocr.raw, "wallet address"),
57 regex.icontains(.scan.ocr.raw, '\$\d{3}\.\d{2}\b'),
58 regex.icontains(.scan.ocr.raw,
59 '(\+\d|1.(\()?\d{3}(\))?\D\d{3}\D\d{4})'
60 ),
61 regex.icontains(.scan.ocr.raw,
62 '\+?(\d{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}\d{3}[\s\.\-⋅]{0,5}\d{4}'
63 )
64 )
65 )
66
67 // 1 of the following strings is found, representing common Callback brands
68 and 1 of (
69 strings.icontains(.scan.ocr.raw, "geek squad"),
70 strings.icontains(.scan.ocr.raw, "lifelock"),
71 strings.icontains(.scan.ocr.raw, "best buy"),
72 strings.icontains(.scan.ocr.raw, "mcafee"),
73 regex.icontains(.scan.ocr.raw, "ma?c.?fee"),
74 strings.icontains(.scan.ocr.raw, "norton"),
75 strings.icontains(.scan.ocr.raw, "ebay"),
76 strings.icontains(.scan.ocr.raw, "paypal"),
77 // suspicious attachment name from the attachment object not file.explode() output
78 (
79 regex.icontains(..file_name, 'INV(?:_|\s)?\d+(.pdf)$')
80 )
81 )
82 // Negate bank statements
83 and not (
84 2 of (
85 strings.icontains(.scan.ocr.raw, "opening balance"),
86 strings.icontains(.scan.ocr.raw, "closing balance"),
87 strings.icontains(.scan.ocr.raw, "direct debit"),
88 strings.icontains(.scan.ocr.raw, "interest"),
89 strings.icontains(.scan.ocr.raw, "account balance"),
90 )
91 )
92 )
93
94 or any(ml.logo_detect(.).brands,
95 .name in ("PayPal", "Norton", "GeekSquad", "Ebay")
96 )
97 )
98 )
99 )
100 and (
101 (
102 (
103 length(headers.references) > 0
104 or not any(headers.hops,
105 any(.fields, strings.ilike(.name, "In-Reply-To"))
106 )
107 )
108 and not (
109 (
110 strings.istarts_with(subject.subject, "RE:")
111 or strings.istarts_with(subject.subject, "RES:")
112 or strings.istarts_with(subject.subject, "R:")
113 or strings.istarts_with(subject.subject, "ODG:")
114 or strings.istarts_with(subject.subject, "答复:")
115 or strings.istarts_with(subject.subject, "AW:")
116 or strings.istarts_with(subject.subject, "TR:")
117 or strings.istarts_with(subject.subject, "FWD:")
118 or regex.imatch(subject.subject,
119 '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*'
120 )
121 )
122 )
123 )
124 or (length(headers.references) == 0 or length(body.current_thread.text) < 10)
125 )
126
127attack_types:
128 - "Callback Phishing"
129tactics_and_techniques:
130 - "Evasion"
131 - "Free email provider"
132 - "Out of band pivot"
133 - "PDF"
134 - "Social engineering"
135detection_methods:
136 - "Exif analysis"
137 - "File analysis"
138 - "Optical Character Recognition"
139 - "Sender analysis"
140id: "ac33f097-af20-554c-b29a-56f21be1b285"