Attachment: Callback Phishing solicitation via pdf file
A fraudulent invoice/receipt found in a pdf attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
Sublime rule (View on GitHub)
1name: "Attachment: Callback Phishing solicitation via pdf file"
2description: |
3 A fraudulent invoice/receipt found in a pdf attachment.
4 Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number.
5 The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and (
11 not profile.by_sender().solicited
12 or (
13 profile.by_sender().any_messages_malicious_or_spam
14 and not profile.by_sender().any_false_positives
15 )
16 )
17
18 // single attachment
19 and length(attachments) == 1
20
21 // sender is freemail
22 and sender.email.domain.root_domain in $free_email_providers
23
24 // the attachment is a pdf with less than 3 pages, and at least 60 ocr chars
25 and any(attachments,
26 (
27 .file_extension == "pdf"
28 and any(file.explode(.), .scan.exiftool.page_count < 3)
29 and any(file.explode(.), length(.scan.ocr.raw) > 60)
30 )
31
32 // 4 of the following strings are found
33 and (
34 any(file.explode(.),
35 4 of (
36 strings.icontains(.scan.ocr.raw, "purchase"),
37 strings.icontains(.scan.ocr.raw, "payment"),
38 strings.icontains(.scan.ocr.raw, "transaction"),
39 strings.icontains(.scan.ocr.raw, "subscription"),
40 strings.icontains(.scan.ocr.raw, "antivirus"),
41 strings.icontains(.scan.ocr.raw, "order"),
42 strings.icontains(.scan.ocr.raw, "support"),
43 strings.icontains(.scan.ocr.raw, "help line"),
44 strings.icontains(.scan.ocr.raw, "receipt"),
45 strings.icontains(.scan.ocr.raw, "invoice"),
46 strings.icontains(.scan.ocr.raw, "call"),
47 strings.icontains(.scan.ocr.raw, "helpdesk"),
48 strings.icontains(.scan.ocr.raw, "cancel"),
49 strings.icontains(.scan.ocr.raw, "renew"),
50 strings.icontains(.scan.ocr.raw, "refund"),
51 strings.icontains(.scan.ocr.raw, "amount"),
52 strings.icontains(.scan.ocr.raw, "crypto"),
53 strings.icontains(.scan.ocr.raw, "wallet address"),
54 regex.icontains(.scan.ocr.raw, '\$\d{3}\.\d{2}\b'),
55 regex.icontains(.scan.ocr.raw,
56 '(\+\d|1.(\()?\d{3}(\))?\D\d{3}\D\d{4})'
57 ),
58 regex.icontains(.scan.ocr.raw,
59 '\+?(\d{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}\d{3}[\s\.\-⋅]{0,5}\d{4}'
60 )
61 )
62 )
63 )
64
65 // 1 of the following strings is found, representing common Callback brands
66 and (
67 any(file.explode(.),
68 1 of (
69 strings.icontains(.scan.ocr.raw, "geek squad"),
70 strings.icontains(.scan.ocr.raw, "lifelock"),
71 strings.icontains(.scan.ocr.raw, "best buy"),
72 strings.icontains(.scan.ocr.raw, "mcafee"),
73 strings.icontains(.scan.ocr.raw, "norton"),
74 strings.icontains(.scan.ocr.raw, "ebay"),
75 strings.icontains(.scan.ocr.raw, "paypal"),
76 )
77 )
78 or any(ml.logo_detect(.).brands,
79 .name in ("PayPal", "Norton", "GeekSquad", "Ebay")
80 )
81 )
82 // Negate bank statements
83 and not (
84 any(file.explode(.),
85 2 of (
86 strings.icontains(.scan.ocr.raw, "opening balance"),
87 strings.icontains(.scan.ocr.raw, "closing balance"),
88 strings.icontains(.scan.ocr.raw, "direct debit"),
89 strings.icontains(.scan.ocr.raw, "interest"),
90 strings.icontains(.scan.ocr.raw, "account balance"),
91 )
92 )
93 )
94 )
95
96 and (
97 (
98 (
99 length(headers.references) > 0
100 or not any(headers.hops,
101 any(.fields, strings.ilike(.name, "In-Reply-To"))
102 )
103 )
104 and not (
105 (
106 strings.istarts_with(subject.subject, "RE:")
107 or strings.istarts_with(subject.subject, "RES:")
108 or strings.istarts_with(subject.subject, "R:")
109 or strings.istarts_with(subject.subject, "ODG:")
110 or strings.istarts_with(subject.subject, "答复:")
111 or strings.istarts_with(subject.subject, "AW:")
112 or strings.istarts_with(subject.subject, "TR:")
113 or strings.istarts_with(subject.subject, "FWD:")
114 or regex.imatch(subject.subject,
115 '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*'
116 )
117 )
118 )
119 )
120 or (length(headers.references) == 0 or length(body.current_thread.text) < 10)
121 )
122
123attack_types:
124 - "Callback Phishing"
125tactics_and_techniques:
126 - "Evasion"
127 - "Free email provider"
128 - "Out of band pivot"
129 - "PDF"
130 - "Social engineering"
131detection_methods:
132 - "Exif analysis"
133 - "File analysis"
134 - "Optical Character Recognition"
135 - "Sender analysis"
136id: "ac33f097-af20-554c-b29a-56f21be1b285"