Attachment: Callback Phishing solicitation via pdf file

calendar Jul 3, 2024  ·
Share on: linkedin copy

A fraudulent invoice/receipt found in a pdf attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Sublime rule (View on GitHub)

  1name: "Attachment: Callback Phishing solicitation via pdf file"
  2description: |
  3  A fraudulent invoice/receipt found in a pdf attachment.
  4  Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. 
  5  The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.  
  6type: "rule"
  7severity: "high"
  8source: |
  9  type.inbound
 10  and (
 11    not profile.by_sender().solicited
 12    or (
 13      profile.by_sender().any_messages_malicious_or_spam
 14      and not profile.by_sender().any_false_positives
 15    )
 16  )
 17  
 18  // single attachment
 19  and length(attachments) == 1
 20  
 21  // sender is freemail
 22  and sender.email.domain.root_domain in $free_email_providers
 23  
 24  // the attachment is a pdf with less than 3 pages, and at least 60 ocr chars
 25  and any(attachments,
 26          (
 27            .file_extension == "pdf"
 28            and any(file.explode(.), .scan.exiftool.page_count < 3)
 29            and any(file.explode(.), length(.scan.ocr.raw) > 60)
 30          )
 31  
 32          // 4 of the following strings are found        
 33          and (
 34            any(file.explode(.),
 35                4 of (
 36                  strings.icontains(.scan.ocr.raw, "purchase"),
 37                  strings.icontains(.scan.ocr.raw, "payment"),
 38                  strings.icontains(.scan.ocr.raw, "transaction"),
 39                  strings.icontains(.scan.ocr.raw, "subscription"),
 40                  strings.icontains(.scan.ocr.raw, "antivirus"),
 41                  strings.icontains(.scan.ocr.raw, "order"),
 42                  strings.icontains(.scan.ocr.raw, "support"),
 43                  strings.icontains(.scan.ocr.raw, "help line"),
 44                  strings.icontains(.scan.ocr.raw, "receipt"),
 45                  strings.icontains(.scan.ocr.raw, "invoice"),
 46                  strings.icontains(.scan.ocr.raw, "call"),
 47                  strings.icontains(.scan.ocr.raw, "helpdesk"),
 48                  strings.icontains(.scan.ocr.raw, "cancel"),
 49                  strings.icontains(.scan.ocr.raw, "renew"),
 50                  strings.icontains(.scan.ocr.raw, "refund"),
 51                  strings.icontains(.scan.ocr.raw, "amount"),
 52                  strings.icontains(.scan.ocr.raw, "crypto"),
 53                  strings.icontains(.scan.ocr.raw, "wallet address"),
 54                  regex.icontains(.scan.ocr.raw, '\$\d{3}\.\d{2}\b'),
 55                  regex.icontains(.scan.ocr.raw,
 56                                  '(\+\d|1.(\()?\d{3}(\))?\D\d{3}\D\d{4})'
 57                  ),
 58                  regex.icontains(.scan.ocr.raw,
 59                                  '\+?(\d{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}\d{3}[\s\.\-⋅]{0,5}\d{4}'
 60                  )
 61                )
 62            )
 63          )
 64  
 65          // 1 of the following strings is found, representing common Callback brands          
 66          and (
 67            any(file.explode(.),
 68                1 of (
 69                  strings.icontains(.scan.ocr.raw, "geek squad"),
 70                  strings.icontains(.scan.ocr.raw, "lifelock"),
 71                  strings.icontains(.scan.ocr.raw, "best buy"),
 72                  strings.icontains(.scan.ocr.raw, "mcafee"),
 73                  strings.icontains(.scan.ocr.raw, "norton"),
 74                  strings.icontains(.scan.ocr.raw, "ebay"),
 75                  strings.icontains(.scan.ocr.raw, "paypal"),
 76                )
 77            )
 78            or any(ml.logo_detect(.).brands,
 79                   .name in ("PayPal", "Norton", "GeekSquad", "Ebay")
 80            )
 81          )
 82          // Negate bank statements
 83          and not (
 84            any(file.explode(.),
 85                2 of (
 86                  strings.icontains(.scan.ocr.raw, "opening balance"),
 87                  strings.icontains(.scan.ocr.raw, "closing balance"),
 88                  strings.icontains(.scan.ocr.raw, "direct debit"),
 89                  strings.icontains(.scan.ocr.raw, "interest"),
 90                  strings.icontains(.scan.ocr.raw, "account balance"),
 91                )
 92            )
 93        )
 94  )
 95  
 96  and (
 97    (
 98      (
 99        length(headers.references) > 0
100        or not any(headers.hops,
101                   any(.fields, strings.ilike(.name, "In-Reply-To"))
102        )
103      )
104      and not (
105        (
106          strings.istarts_with(subject.subject, "RE:")
107          or strings.istarts_with(subject.subject, "RES:")
108          or strings.istarts_with(subject.subject, "R:")
109          or strings.istarts_with(subject.subject, "ODG:")
110          or strings.istarts_with(subject.subject, "答复:")
111          or strings.istarts_with(subject.subject, "AW:")
112          or strings.istarts_with(subject.subject, "TR:")
113          or strings.istarts_with(subject.subject, "FWD:")
114          or regex.imatch(subject.subject,
115                        '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*'
116        )
117        )
118      )
119    )
120    or (length(headers.references) == 0 or length(body.current_thread.text) < 10)
121  )  
122
123attack_types:
124  - "Callback Phishing"
125tactics_and_techniques:
126  - "Evasion"
127  - "Free email provider"
128  - "Out of band pivot"
129  - "PDF"
130  - "Social engineering"
131detection_methods:
132  - "Exif analysis"
133  - "File analysis"
134  - "Optical Character Recognition"
135  - "Sender analysis"
136id: "ac33f097-af20-554c-b29a-56f21be1b285"
to-top