Attachment: Callback Phishing solicitation via pdf file
A fraudulent invoice/receipt found in an single page pdf attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
Sublime rule (View on GitHub)
1name: "Attachment: Callback Phishing solicitation via pdf file"
2description: |
3 A fraudulent invoice/receipt found in an single page pdf attachment.
4 Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number.
5 The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and (
11 not profile.by_sender().solicited
12 or (
13 profile.by_sender().any_messages_malicious_or_spam
14 and not profile.by_sender().any_false_positives
15 )
16 )
17
18 // single attachment
19 and length(attachments) == 1
20
21 // sender is freemail
22 and sender.email.domain.root_domain in $free_email_providers
23
24 // the attachment is a pdf with 1 page, and at least 60 ocr chars
25 and any(attachments,
26 .file_extension == "pdf"
27 and any(file.explode(.), .scan.exiftool.page_count == 1)
28 and any(file.explode(.), length(.scan.ocr.raw) > 60)
29
30 // 4 of the following strings are found
31 and any(file.explode(.),
32 4 of (
33 strings.icontains(.scan.ocr.raw, "purchase"),
34 strings.icontains(.scan.ocr.raw, "payment"),
35 strings.icontains(.scan.ocr.raw, "transaction"),
36 strings.icontains(.scan.ocr.raw, "subscription"),
37 strings.icontains(.scan.ocr.raw, "antivirus"),
38 strings.icontains(.scan.ocr.raw, "order"),
39 strings.icontains(.scan.ocr.raw, "support"),
40 strings.icontains(.scan.ocr.raw, "help line"),
41 strings.icontains(.scan.ocr.raw, "receipt"),
42 strings.icontains(.scan.ocr.raw, "invoice"),
43 strings.icontains(.scan.ocr.raw, "call"),
44 strings.icontains(.scan.ocr.raw, "helpdesk"),
45 strings.icontains(.scan.ocr.raw, "cancel"),
46 strings.icontains(.scan.ocr.raw, "renew"),
47 strings.icontains(.scan.ocr.raw, "refund"),
48 regex.icontains(.scan.ocr.raw, '(\+\d|1.(\()?\d{3}(\))?\D\d{3}\D\d{4})')
49 )
50 )
51
52 // 1 of the following strings is found, representing common Callback brands
53 and (
54 any(file.explode(.),
55 1 of (
56 strings.icontains(.scan.ocr.raw, "geek squad"),
57 strings.icontains(.scan.ocr.raw, "lifelock"),
58 strings.icontains(.scan.ocr.raw, "best buy"),
59 strings.icontains(.scan.ocr.raw, "mcafee"),
60 strings.icontains(.scan.ocr.raw, "norton"),
61 strings.icontains(.scan.ocr.raw, "ebay"),
62 strings.icontains(.scan.ocr.raw, "paypal"),
63 )
64 )
65 or any(ml.logo_detect(.).brands,
66 .name in ("PayPal", "Norton", "GeekSquad", "Ebay")
67 )
68 )
69 )
70
71attack_types:
72 - "Callback Phishing"
73tactics_and_techniques:
74 - "Evasion"
75 - "Free email provider"
76 - "Out of band pivot"
77 - "PDF"
78 - "Social engineering"
79detection_methods:
80 - "Exif analysis"
81 - "File analysis"
82 - "Optical Character Recognition"
83 - "Sender analysis"
84id: "ac33f097-af20-554c-b29a-56f21be1b285"