Attachment: Callback Phishing solicitation via pdf file

calendar Nov 7, 2023  ·
Share on: linkedin copy

A fraudulent invoice/receipt found in an single page pdf attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Sublime rule (View on GitHub)

 1name: "Attachment: Callback Phishing solicitation via pdf file"
 2description: |
 3  A fraudulent invoice/receipt found in an single page pdf attachment.
 4  Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. 
 5  The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.  
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and (
11    not profile.by_sender().solicited
12    or (
13      profile.by_sender().any_messages_malicious_or_spam
14      and not profile.by_sender().any_false_positives
15    )
16  )
17  
18  // single attachment
19  and length(attachments) == 1
20  
21  // sender is freemail
22  and sender.email.domain.root_domain in $free_email_providers
23  
24  // the attachment is a pdf with 1 page, and at least 60 ocr chars
25  and any(attachments,
26          .file_extension == "pdf"
27          and any(file.explode(.), .scan.exiftool.page_count == 1)
28          and any(file.explode(.), length(.scan.ocr.raw) > 60)
29  
30          // 4 of the following strings are found        
31          and any(file.explode(.),
32                  4 of (
33                    strings.icontains(.scan.ocr.raw, "purchase"),
34                    strings.icontains(.scan.ocr.raw, "payment"),
35                    strings.icontains(.scan.ocr.raw, "transaction"),
36                    strings.icontains(.scan.ocr.raw, "subscription"),
37                    strings.icontains(.scan.ocr.raw, "antivirus"),
38                    strings.icontains(.scan.ocr.raw, "order"),
39                    strings.icontains(.scan.ocr.raw, "support"),
40                    strings.icontains(.scan.ocr.raw, "help line"),
41                    strings.icontains(.scan.ocr.raw, "receipt"),
42                    strings.icontains(.scan.ocr.raw, "invoice"),
43                    strings.icontains(.scan.ocr.raw, "call"),
44                    strings.icontains(.scan.ocr.raw, "helpdesk"),
45                    strings.icontains(.scan.ocr.raw, "cancel"),
46                    strings.icontains(.scan.ocr.raw, "renew"),
47                    strings.icontains(.scan.ocr.raw, "refund"),
48                    regex.icontains(.scan.ocr.raw, '(\+\d|1.(\()?\d{3}(\))?\D\d{3}\D\d{4})')
49                  )
50          )
51  
52          // 1 of the following strings is found, representing common Callback brands          
53          and (
54            any(file.explode(.),
55                1 of (
56                  strings.icontains(.scan.ocr.raw, "geek squad"),
57                  strings.icontains(.scan.ocr.raw, "lifelock"),
58                  strings.icontains(.scan.ocr.raw, "best buy"),
59                  strings.icontains(.scan.ocr.raw, "mcafee"),
60                  strings.icontains(.scan.ocr.raw, "norton"),
61                  strings.icontains(.scan.ocr.raw, "ebay"),
62                  strings.icontains(.scan.ocr.raw, "paypal"),
63                )
64            )
65            or any(ml.logo_detect(.).brands,
66                   .name in ("PayPal", "Norton", "GeekSquad", "Ebay")
67            )
68          )
69  )  
70
71attack_types:
72  - "Callback Phishing"
73tactics_and_techniques:
74  - "Evasion"
75  - "Free email provider"
76  - "Out of band pivot"
77  - "PDF"
78  - "Social engineering"
79detection_methods:
80  - "Exif analysis"
81  - "File analysis"
82  - "Optical Character Recognition"
83  - "Sender analysis"
84id: "ac33f097-af20-554c-b29a-56f21be1b285"
to-top