Attachment: Callback Phishing solicitation via pdf file
A fraudulent invoice/receipt found in a pdf attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
Sublime rule (View on GitHub)
1name: "Attachment: Callback Phishing solicitation via pdf file"
2description: |
3 A fraudulent invoice/receipt found in a pdf attachment.
4 Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number.
5 The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and (
11 not profile.by_sender().solicited
12 or (
13 profile.by_sender().any_messages_malicious_or_spam
14 and not profile.by_sender().any_false_positives
15 )
16 )
17
18 // single attachment
19 and length(attachments) == 1
20
21 // sender is freemail
22 and sender.email.domain.root_domain in $free_email_providers
23
24 // the attachment is a pdf with less than 3 pages, and at least 60 ocr chars
25 and any(attachments,
26 (
27 .file_extension == "pdf"
28 and (
29 // get the length of the attached pdf
30 any(file.explode(.),
31 .depth == 0 and .scan.exiftool.page_count < 3
32 )
33 // check that any _single_ result in the file.explode matches these conditions
34 and any(file.explode(.),
35 length(.scan.ocr.raw) > 60
36 // 4 of the following strings are found
37 and (
38 4 of (
39 strings.icontains(.scan.ocr.raw, "purchase"),
40 strings.icontains(.scan.ocr.raw, "payment"),
41 strings.icontains(.scan.ocr.raw, "transaction"),
42 strings.icontains(.scan.ocr.raw, "subscription"),
43 strings.icontains(.scan.ocr.raw, "antivirus"),
44 strings.icontains(.scan.ocr.raw, "order"),
45 strings.icontains(.scan.ocr.raw, "support"),
46 strings.icontains(.scan.ocr.raw, "help line"),
47 strings.icontains(.scan.ocr.raw, "receipt"),
48 strings.icontains(.scan.ocr.raw, "invoice"),
49 strings.icontains(.scan.ocr.raw, "call"),
50 strings.icontains(.scan.ocr.raw, "helpdesk"),
51 strings.icontains(.scan.ocr.raw, "cancel"),
52 strings.icontains(.scan.ocr.raw, "renew"),
53 strings.icontains(.scan.ocr.raw, "refund"),
54 strings.icontains(.scan.ocr.raw, "amount"),
55 strings.icontains(.scan.ocr.raw, "crypto"),
56 strings.icontains(.scan.ocr.raw, "wallet address"),
57 regex.icontains(.scan.ocr.raw, '\$\d{3}\.\d{2}\b'),
58 regex.icontains(.scan.ocr.raw,
59 '(\+\d|1.(\()?\d{3}(\))?\D\d{3}\D\d{4})'
60 ),
61 regex.icontains(.scan.ocr.raw,
62 '\+?(\d{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}\d{3}[\s\.\-⋅]{0,5}\d{4}'
63 )
64 )
65 )
66
67 // 1 of the following strings is found, representing common Callback brands
68 and 1 of (
69 strings.icontains(.scan.ocr.raw, "geek squad"),
70 strings.icontains(.scan.ocr.raw, "lifelock"),
71 strings.icontains(.scan.ocr.raw, "best buy"),
72 strings.icontains(.scan.ocr.raw, "mcafee"),
73 regex.icontains(.scan.ocr.raw, "ma?c.?fee"),
74 strings.icontains(.scan.ocr.raw, "norton"),
75 strings.icontains(.scan.ocr.raw, "ebay"),
76 strings.icontains(.scan.ocr.raw, "paypal"),
77 )
78 // Negate bank statements
79 and not (
80 2 of (
81 strings.icontains(.scan.ocr.raw, "opening balance"),
82 strings.icontains(.scan.ocr.raw, "closing balance"),
83 strings.icontains(.scan.ocr.raw, "direct debit"),
84 strings.icontains(.scan.ocr.raw, "interest"),
85 strings.icontains(.scan.ocr.raw, "account balance"),
86 )
87 )
88 )
89
90 or any(ml.logo_detect(.).brands,
91 .name in ("PayPal", "Norton", "GeekSquad", "Ebay")
92 )
93 )
94 )
95 )
96 and (
97 (
98 (
99 length(headers.references) > 0
100 or not any(headers.hops,
101 any(.fields, strings.ilike(.name, "In-Reply-To"))
102 )
103 )
104 and not (
105 (
106 strings.istarts_with(subject.subject, "RE:")
107 or strings.istarts_with(subject.subject, "RES:")
108 or strings.istarts_with(subject.subject, "R:")
109 or strings.istarts_with(subject.subject, "ODG:")
110 or strings.istarts_with(subject.subject, "答复:")
111 or strings.istarts_with(subject.subject, "AW:")
112 or strings.istarts_with(subject.subject, "TR:")
113 or strings.istarts_with(subject.subject, "FWD:")
114 or regex.imatch(subject.subject,
115 '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*'
116 )
117 )
118 )
119 )
120 or (length(headers.references) == 0 or length(body.current_thread.text) < 10)
121 )
122
123attack_types:
124 - "Callback Phishing"
125tactics_and_techniques:
126 - "Evasion"
127 - "Free email provider"
128 - "Out of band pivot"
129 - "PDF"
130 - "Social engineering"
131detection_methods:
132 - "Exif analysis"
133 - "File analysis"
134 - "Optical Character Recognition"
135 - "Sender analysis"
136id: "ac33f097-af20-554c-b29a-56f21be1b285"