Attachment: Callback phishing solicitation via pdf file

A fraudulent invoice/receipt found in a pdf attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Sublime rule (View on GitHub)

  1name: "Attachment: Callback phishing solicitation via pdf file"
  2description: |
  3  A fraudulent invoice/receipt found in a pdf attachment.
  4  Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. 
  5  The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.  
  6type: "rule"
  7severity: "high"
  8source: |
  9  type.inbound
 10  and (
 11    not profile.by_sender().solicited
 12    or (
 13      profile.by_sender().any_messages_malicious_or_spam
 14      and not profile.by_sender().any_messages_benign
 15    )
 16  )
 17  
 18  // single attachment
 19  and length(attachments) == 1
 20  
 21  // sender is freemail
 22  and (
 23    sender.email.domain.root_domain in $free_email_providers
 24    // the sender is a common service, which has likely been sent through a DL
 25    or (
 26      sender.email.domain.root_domain in $tranco_50k
 27      and all(recipients.to, .email.domain.domain not in $org_domains)
 28    )
 29  )
 30  // the attachment is a pdf with less than 3 pages, and at least 60 ocr chars
 31  and any(attachments,
 32          (
 33            .file_extension == "pdf"
 34            // get the length of the attached pdf
 35            and any(file.explode(.),
 36                    .depth == 0
 37                    and .scan.exiftool.page_count < 3
 38                    and (
 39                      not (
 40                        strings.istarts_with(.scan.exiftool.producer,
 41                                             "Aspose.Words for Java"
 42                        )
 43                        and (
 44                          .scan.exiftool.creator == "Anusha T"
 45                          or any(.scan.exiftool.fields,
 46                                 .key == "Author" and .value == "Anusha T"
 47                          )
 48                        )
 49                      )
 50                      or .scan.exiftool.producer is null
 51                      or .scan.exiftool.creator is null
 52                    )
 53            )
 54            // negate ML matches to "Professional and Career Development" - tuning resume FPs
 55            and not (
 56              any(beta.ml_topic(coalesce(body.html.display_text, body.plain.raw)).topics,
 57                  .name == "Professional and Career Development"
 58                  and .confidence == "high"
 59              )
 60              or (
 61                (
 62                  any(attachments,
 63                      .file_type == 'pdf'
 64                      and any(file.explode(.),
 65                              any(beta.ml_topic(.scan.ocr.raw).topics,
 66                                  .name == "Professional and Career Development"
 67                                  and .confidence == "high"
 68                              )
 69                      )
 70                  )
 71                )
 72              )
 73            )
 74            // check that any _single_ result in the file.explode matches these conditions
 75            // a second file.explode is required because the OCR is generated at a different depth within 
 76            // the file.explode results
 77            and (
 78              any(file.explode(.),
 79                  length(.scan.ocr.raw) > 60
 80                  // 4 of the following strings are found        
 81                  and 4 of (
 82                    // this section is synced with attachment_callback_phish_with_pdf.yml and body_callback_phishing_no_attachment.yml
 83                    strings.icontains(.scan.ocr.raw, "purchase"),
 84                    strings.icontains(.scan.ocr.raw, "payment"),
 85                    strings.icontains(.scan.ocr.raw, "transaction"),
 86                    strings.icontains(.scan.ocr.raw, "subscription"),
 87                    strings.icontains(.scan.ocr.raw, "antivirus"),
 88                    strings.icontains(.scan.ocr.raw, "order"),
 89                    strings.icontains(.scan.ocr.raw, "support"),
 90                    strings.icontains(.scan.ocr.raw, "help line"),
 91                    strings.icontains(.scan.ocr.raw, "receipt"),
 92                    strings.icontains(.scan.ocr.raw, "invoice"),
 93                    strings.icontains(.scan.ocr.raw, "call"),
 94                    strings.icontains(.scan.ocr.raw, "helpdesk"),
 95                    strings.icontains(.scan.ocr.raw, "cancel"),
 96                    strings.icontains(.scan.ocr.raw, "renew"),
 97                    strings.icontains(.scan.ocr.raw, "refund"),
 98                    regex.icontains(.scan.ocr.raw, "(?:reach|contact) us at"),
 99                    strings.icontains(.scan.ocr.raw, "+1"),
100                    strings.icontains(.scan.ocr.raw, "amount"),
101                    strings.icontains(.scan.ocr.raw, "charged"),
102                    strings.icontains(.scan.ocr.raw, "crypto"),
103                    strings.icontains(.scan.ocr.raw, "wallet address"),
104                    regex.icontains(.scan.ocr.raw, '\$\d{3}\.\d{2}\b'),
105                    regex.icontains(.scan.ocr.raw,
106                                    '(\+[ilo0-9]|1.(\()?[ilo0-9]{3}(\))?\D[ilo0-9]{3}\D[ilo0-9]{4})',
107                                    '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
108                    ),
109                  )
110                  and (
111                    // this section is synced with attachment_callback_phish_with_img.yml and body_callback_phishing_no_attachment.yml
112                    regex.icontains(.scan.ocr.raw,
113                                    '(p.{0,3}a.{0,3}y.{0,3}p.{0,3}a.{0,3}l|ma?c.?fee|n[o0]rt[o0]n|geek.{0,5}squad|ebay|symantec|best buy|lifel[o0]c|secure anywhere|starz|utilities premium|pc security|at&t)'
114                    )
115                    // suspicious attachment name from the attachment object not file.explode() output
116                    or regex.icontains(..file_name, 'INV(?:_|\s)?\d+(.pdf)$')
117                  )
118                  // Negate bank statements
119                  and not (
120                    2 of (
121                      strings.icontains(.scan.ocr.raw, "opening balance"),
122                      strings.icontains(.scan.ocr.raw, "closing balance"),
123                      strings.icontains(.scan.ocr.raw, "direct debit"),
124                      strings.icontains(.scan.ocr.raw, "interest"),
125                      strings.icontains(.scan.ocr.raw, "account balance"),
126                    )
127                  )
128              )
129              // this section is synced with attachment_callback_phish_with_img.yml and body_callback_phishing_no_attachment.yml
130              or any(ml.logo_detect(.).brands,
131                     .name in (
132                       "PayPal",
133                       "Norton",
134                       "GeekSquad",
135                       "Ebay",
136                       "McAfee",
137                       "AT&T"
138                     )
139              )
140            )
141          )
142  )
143  and (
144    (
145      (
146        length(headers.references) > 0
147        or not any(headers.hops,
148                   any(.fields, strings.ilike(.name, "In-Reply-To"))
149        )
150      )
151      and not (
152        (
153          strings.istarts_with(subject.subject, "RE:")
154          or strings.istarts_with(subject.subject, "RES:")
155          or strings.istarts_with(subject.subject, "R:")
156          or strings.istarts_with(subject.subject, "ODG:")
157          or strings.istarts_with(subject.subject, "答复:")
158          or strings.istarts_with(subject.subject, "AW:")
159          or strings.istarts_with(subject.subject, "TR:")
160          or strings.istarts_with(subject.subject, "FWD:")
161          or regex.imatch(subject.subject,
162                          '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*'
163          )
164        )
165      )
166    )
167    or (length(headers.references) == 0 or length(body.current_thread.text) < 10)
168  )  
169attack_types:
170  - "Callback Phishing"
171tactics_and_techniques:
172  - "Evasion"
173  - "Free email provider"
174  - "Out of band pivot"
175  - "PDF"
176  - "Social engineering"
177detection_methods:
178  - "Exif analysis"
179  - "File analysis"
180  - "Optical Character Recognition"
181  - "Sender analysis"
182id: "ac33f097-af20-554c-b29a-56f21be1b285"
to-top