Attachment: Callback phishing solicitation via pdf file
A fraudulent invoice/receipt found in a pdf attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
Sublime rule (View on GitHub)
1name: "Attachment: Callback phishing solicitation via pdf file"
2description: |
3 A fraudulent invoice/receipt found in a pdf attachment.
4 Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number.
5 The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and (
11 not profile.by_sender().solicited
12 or (
13 profile.by_sender().any_messages_malicious_or_spam
14 and not profile.by_sender().any_messages_benign
15 )
16 )
17
18 // single attachment
19 and length(attachments) == 1
20
21 // sender is freemail
22 and (
23 sender.email.domain.root_domain in $free_email_providers
24 // the sender is a common service, which has likely been sent through a DL
25 or (
26 sender.email.domain.root_domain in $tranco_50k
27 and all(recipients.to, .email.domain.domain not in $org_domains)
28 )
29 )
30 // the attachment is a pdf with less than 3 pages, and at least 60 ocr chars
31 and any(attachments,
32 (
33 .file_extension == "pdf"
34 // get the length of the attached pdf
35 and any(file.explode(.),
36 .depth == 0
37 and .scan.exiftool.page_count < 3
38 and (
39 not (
40 strings.istarts_with(.scan.exiftool.producer,
41 "Aspose.Words for Java"
42 )
43 and (
44 .scan.exiftool.creator == "Anusha T"
45 or any(.scan.exiftool.fields,
46 .key == "Author" and .value == "Anusha T"
47 )
48 )
49 )
50 or .scan.exiftool.producer is null
51 or .scan.exiftool.creator is null
52 )
53 )
54 // negate ML matches to "Professional and Career Development" - tuning resume FPs
55 and not (
56 any(beta.ml_topic(coalesce(body.html.display_text, body.plain.raw)).topics,
57 .name == "Professional and Career Development"
58 and .confidence == "high"
59 )
60 or (
61 (
62 any(attachments,
63 .file_type == 'pdf'
64 and any(file.explode(.),
65 any(beta.ml_topic(.scan.ocr.raw).topics,
66 .name == "Professional and Career Development"
67 and .confidence == "high"
68 )
69 )
70 )
71 )
72 )
73 )
74 // check that any _single_ result in the file.explode matches these conditions
75 // a second file.explode is required because the OCR is generated at a different depth within
76 // the file.explode results
77 and (
78 any(file.explode(.),
79 length(.scan.ocr.raw) > 60
80 // 4 of the following strings are found
81 and 4 of (
82 // this section is synced with attachment_callback_phish_with_pdf.yml and body_callback_phishing_no_attachment.yml
83 strings.icontains(.scan.ocr.raw, "purchase"),
84 strings.icontains(.scan.ocr.raw, "payment"),
85 strings.icontains(.scan.ocr.raw, "transaction"),
86 strings.icontains(.scan.ocr.raw, "subscription"),
87 strings.icontains(.scan.ocr.raw, "antivirus"),
88 strings.icontains(.scan.ocr.raw, "order"),
89 strings.icontains(.scan.ocr.raw, "support"),
90 strings.icontains(.scan.ocr.raw, "help line"),
91 strings.icontains(.scan.ocr.raw, "receipt"),
92 strings.icontains(.scan.ocr.raw, "invoice"),
93 strings.icontains(.scan.ocr.raw, "call"),
94 strings.icontains(.scan.ocr.raw, "helpdesk"),
95 strings.icontains(.scan.ocr.raw, "cancel"),
96 strings.icontains(.scan.ocr.raw, "renew"),
97 strings.icontains(.scan.ocr.raw, "refund"),
98 regex.icontains(.scan.ocr.raw, "(?:reach|contact) us at"),
99 strings.icontains(.scan.ocr.raw, "+1"),
100 strings.icontains(.scan.ocr.raw, "amount"),
101 strings.icontains(.scan.ocr.raw, "charged"),
102 strings.icontains(.scan.ocr.raw, "crypto"),
103 strings.icontains(.scan.ocr.raw, "wallet address"),
104 regex.icontains(.scan.ocr.raw, '\$\d{3}\.\d{2}\b'),
105 regex.icontains(.scan.ocr.raw,
106 '(\+[ilo0-9]|1.(\()?[ilo0-9]{3}(\))?\D[ilo0-9]{3}\D[ilo0-9]{4})',
107 '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
108 ),
109 )
110 and (
111 // this section is synced with attachment_callback_phish_with_img.yml and body_callback_phishing_no_attachment.yml
112 regex.icontains(.scan.ocr.raw,
113 '(p.{0,3}a.{0,3}y.{0,3}p.{0,3}a.{0,3}l|ma?c.?fee|n[o0]rt[o0]n|geek.{0,5}squad|ebay|symantec|best buy|lifel[o0]c|secure anywhere|starz|utilities premium|pc security|at&t)'
114 )
115 // suspicious attachment name from the attachment object not file.explode() output
116 or regex.icontains(..file_name, 'INV(?:_|\s)?\d+(.pdf)$')
117 )
118 // Negate bank statements
119 and not (
120 2 of (
121 strings.icontains(.scan.ocr.raw, "opening balance"),
122 strings.icontains(.scan.ocr.raw, "closing balance"),
123 strings.icontains(.scan.ocr.raw, "direct debit"),
124 strings.icontains(.scan.ocr.raw, "interest"),
125 strings.icontains(.scan.ocr.raw, "account balance"),
126 )
127 )
128 )
129 // this section is synced with attachment_callback_phish_with_img.yml and body_callback_phishing_no_attachment.yml
130 or any(ml.logo_detect(.).brands,
131 .name in (
132 "PayPal",
133 "Norton",
134 "GeekSquad",
135 "Ebay",
136 "McAfee",
137 "AT&T"
138 )
139 )
140 )
141 )
142 )
143 and (
144 (
145 (
146 length(headers.references) > 0
147 or not any(headers.hops,
148 any(.fields, strings.ilike(.name, "In-Reply-To"))
149 )
150 )
151 and not (
152 (
153 strings.istarts_with(subject.subject, "RE:")
154 or strings.istarts_with(subject.subject, "RES:")
155 or strings.istarts_with(subject.subject, "R:")
156 or strings.istarts_with(subject.subject, "ODG:")
157 or strings.istarts_with(subject.subject, "答复:")
158 or strings.istarts_with(subject.subject, "AW:")
159 or strings.istarts_with(subject.subject, "TR:")
160 or strings.istarts_with(subject.subject, "FWD:")
161 or regex.imatch(subject.subject,
162 '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*'
163 )
164 )
165 )
166 )
167 or (length(headers.references) == 0 or length(body.current_thread.text) < 10)
168 )
169attack_types:
170 - "Callback Phishing"
171tactics_and_techniques:
172 - "Evasion"
173 - "Free email provider"
174 - "Out of band pivot"
175 - "PDF"
176 - "Social engineering"
177detection_methods:
178 - "Exif analysis"
179 - "File analysis"
180 - "Optical Character Recognition"
181 - "Sender analysis"
182id: "ac33f097-af20-554c-b29a-56f21be1b285"