Attachment: Callback Phishing solicitation via pdf file

A fraudulent invoice/receipt found in an single page pdf attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Sublime rule (View on GitHub)

  1name: "Attachment: Callback Phishing solicitation via pdf file"
  2description: |
  3  A fraudulent invoice/receipt found in an single page pdf attachment.
  4  Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. 
  5  The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.  
  6type: "rule"
  7severity: "high"
  8source: |
  9  type.inbound
 10  and (
 11    not profile.by_sender().solicited
 12    or (
 13      profile.by_sender().any_messages_malicious_or_spam
 14      and not profile.by_sender().any_false_positives
 15    )
 16  )
 17  
 18  // single attachment
 19  and length(attachments) == 1
 20  
 21  // sender is freemail
 22  and sender.email.domain.root_domain in $free_email_providers
 23  
 24  // the attachment is a pdf with 1 page, and at least 60 ocr chars
 25  and any(attachments,
 26          (
 27            .file_extension == "pdf"
 28            and any(file.explode(.), .scan.exiftool.page_count < 3)
 29            and any(file.explode(.), length(.scan.ocr.raw) > 60)
 30          )
 31  
 32          // 4 of the following strings are found        
 33          and (
 34            any(file.explode(.),
 35                4 of (
 36                  strings.icontains(.scan.ocr.raw, "purchase"),
 37                  strings.icontains(.scan.ocr.raw, "payment"),
 38                  strings.icontains(.scan.ocr.raw, "transaction"),
 39                  strings.icontains(.scan.ocr.raw, "subscription"),
 40                  strings.icontains(.scan.ocr.raw, "antivirus"),
 41                  strings.icontains(.scan.ocr.raw, "order"),
 42                  strings.icontains(.scan.ocr.raw, "support"),
 43                  strings.icontains(.scan.ocr.raw, "help line"),
 44                  strings.icontains(.scan.ocr.raw, "receipt"),
 45                  strings.icontains(.scan.ocr.raw, "invoice"),
 46                  strings.icontains(.scan.ocr.raw, "call"),
 47                  strings.icontains(.scan.ocr.raw, "helpdesk"),
 48                  strings.icontains(.scan.ocr.raw, "cancel"),
 49                  strings.icontains(.scan.ocr.raw, "renew"),
 50                  strings.icontains(.scan.ocr.raw, "refund"),
 51                  strings.icontains(.scan.ocr.raw, "amount"),
 52                  strings.icontains(.scan.ocr.raw, "crypto"),
 53                  strings.icontains(.scan.ocr.raw, "wallet address"),
 54                  regex.icontains(.scan.ocr.raw, '\$\d{3}\.\d{2}\b'),
 55                  regex.icontains(.scan.ocr.raw,
 56                                  '(\+\d|1.(\()?\d{3}(\))?\D\d{3}\D\d{4})'
 57                  ),
 58                  regex.icontains(.scan.ocr.raw,
 59                                  '\+?(\d{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}\d{3}[\s\.\-⋅]{0,5}\d{4}'
 60                  )
 61                )
 62            )
 63          )
 64  
 65          // 1 of the following strings is found, representing common Callback brands          
 66          and (
 67            any(file.explode(.),
 68                1 of (
 69                  strings.icontains(.scan.ocr.raw, "geek squad"),
 70                  strings.icontains(.scan.ocr.raw, "lifelock"),
 71                  strings.icontains(.scan.ocr.raw, "best buy"),
 72                  strings.icontains(.scan.ocr.raw, "mcafee"),
 73                  strings.icontains(.scan.ocr.raw, "norton"),
 74                  strings.icontains(.scan.ocr.raw, "ebay"),
 75                  strings.icontains(.scan.ocr.raw, "paypal"),
 76                )
 77            )
 78            or any(ml.logo_detect(.).brands,
 79                   .name in ("PayPal", "Norton", "GeekSquad", "Ebay")
 80            )
 81          )
 82          // Negate bank statements
 83          and not (
 84            any(file.explode(.),
 85                2 of (
 86                  strings.icontains(.scan.ocr.raw, "opening balance"),
 87                  strings.icontains(.scan.ocr.raw, "closing balance"),
 88                  strings.icontains(.scan.ocr.raw, "direct debit"),
 89                  strings.icontains(.scan.ocr.raw, "interest"),
 90                  strings.icontains(.scan.ocr.raw, "account balance"),
 91                )
 92            )
 93        )
 94  )  
 95
 96attack_types:
 97  - "Callback Phishing"
 98tactics_and_techniques:
 99  - "Evasion"
100  - "Free email provider"
101  - "Out of band pivot"
102  - "PDF"
103  - "Social engineering"
104detection_methods:
105  - "Exif analysis"
106  - "File analysis"
107  - "Optical Character Recognition"
108  - "Sender analysis"
109id: "ac33f097-af20-554c-b29a-56f21be1b285"
to-top