Callback phishing solicitation in message body
A fraudulent invoice/receipt found in the body of the message. Callback phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
Sublime rule (View on GitHub)
1name: "Callback phishing solicitation in message body"
2description: |
3 A fraudulent invoice/receipt found in the body of the message.
4 Callback phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number.
5 The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10 and length(attachments) == 0
11 and (
12 not profile.by_sender().solicited
13 or (
14 profile.by_sender().any_messages_malicious_or_spam
15 and not profile.by_sender().any_messages_benign
16 )
17 )
18 and (
19 sender.email.domain.root_domain in $free_email_providers
20 or sender.email.domain.tld in $suspicious_tlds
21 or network.whois(sender.email.domain).found == false
22 or headers.mailer in~ ("Microsoft CDO for Windows 2000")
23 or (
24 length(recipients.to) == 1
25 and all(recipients.to, .email.domain.domain not in $org_domains)
26 )
27 )
28 and (
29 // this section is synced with attachment_callback_phish_with_pdf.yml and attachment_callback_phish_with_img.yml
30 regex.icontains(body.current_thread.text,
31 '(p.{0,3}a.{0,3}y.{0,3}p.{0,3}a.{0,3}l|ma?c.?fee|n[o0]rt[o0]n|geek.{0,5}squad|ebay|symantec|best buy|lifel[o0]c|secure anywhere|starz|utilities premium|pc security|at&t)'
32 )
33 or any(ml.logo_detect(beta.message_screenshot()).brands,
34 .name in ("PayPal", "Norton", "GeekSquad", "Ebay", "McAfee", "AT&T")
35 )
36 or any(file.explode(beta.message_screenshot()),
37 regex.icontains(.scan.ocr.raw,
38 '(p.{0,3}a.{0,3}y.{0,3}p.{0,3}a.{0,3}l|ma?c.?fee|n[o0]rt[o0]n|geek.{0,5}squad|ebay|symantec|best buy|lifel[o0]c|secure anywhere|starz|utilities premium|pc security|at&t)'
39 )
40 )
41 )
42 and length(body.current_thread.text) < 1750
43 and (
44 (
45 // this seciton is synced with attachment_callback_phish_with_img.yml and attachment_callback_phish_with_pdf.yml
46 // however, the 3 of logic and requiring a phone number is specific to this rule in order to reduce FPs
47 // caused by messages which mention cancelling or otherwise managing a subscription
48 // it is also synced and below for message_screenshot OCR output
49 3 of (
50 strings.icontains(body.current_thread.text, 'purchase'),
51 strings.icontains(body.current_thread.text, 'payment'),
52 strings.icontains(body.current_thread.text, 'transaction'),
53 strings.icontains(body.current_thread.text, 'subscription'),
54 strings.icontains(body.current_thread.text, 'antivirus'),
55 strings.icontains(body.current_thread.text, 'order'),
56 strings.icontains(body.current_thread.text, 'support'),
57 strings.icontains(body.current_thread.text, 'help line'),
58 strings.icontains(body.current_thread.text, 'receipt'),
59 strings.icontains(body.current_thread.text, 'invoice'),
60 strings.icontains(body.current_thread.text, 'call'),
61 strings.icontains(body.current_thread.text, 'cancel'),
62 strings.icontains(body.current_thread.text, 'renew'),
63 strings.icontains(body.current_thread.text, 'refund'),
64 regex.icontains(body.current_thread.text, "(?:reach|contact) us at"),
65 strings.icontains(body.current_thread.text, "+1"),
66 strings.icontains(body.current_thread.text, "amount"),
67 strings.icontains(body.current_thread.text, "charged"),
68 strings.icontains(body.current_thread.text, "crypto"),
69 strings.icontains(body.current_thread.text, "wallet address"),
70 regex.icontains(body.current_thread.text, '\$\d{3}\.\d{2}\b'),
71 )
72 // phone number regex
73 and regex.icontains(body.current_thread.text,
74 '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
75 '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
76 )
77 )
78 or (
79 any(file.explode(beta.message_screenshot()),
80 // this seciton is synced with attachment_callback_phish_with_img.yml and attachment_callback_phish_with_pdf.yml
81 // and above for current_thread.text
82 3 of (
83 strings.icontains(.scan.ocr.raw, 'purchase'),
84 strings.icontains(.scan.ocr.raw, 'payment'),
85 strings.icontains(.scan.ocr.raw, 'transaction'),
86 strings.icontains(.scan.ocr.raw, 'subscription'),
87 strings.icontains(.scan.ocr.raw, 'antivirus'),
88 strings.icontains(.scan.ocr.raw, 'order'),
89 strings.icontains(.scan.ocr.raw, 'support'),
90 strings.icontains(.scan.ocr.raw, 'help line'),
91 strings.icontains(.scan.ocr.raw, 'receipt'),
92 strings.icontains(.scan.ocr.raw, 'invoice'),
93 strings.icontains(.scan.ocr.raw, 'call'),
94 strings.icontains(.scan.ocr.raw, 'helpdesk'),
95 strings.icontains(.scan.ocr.raw, 'cancel'),
96 strings.icontains(.scan.ocr.raw, 'renew'),
97 strings.icontains(.scan.ocr.raw, 'refund'),
98 regex.icontains(.scan.ocr.raw, "(?:reach|contact) us at"),
99 strings.icontains(.scan.ocr.raw, '+1'),
100 strings.icontains(.scan.ocr.raw, 'amount'),
101 strings.icontains(.scan.ocr.raw, 'charged'),
102 strings.icontains(.scan.ocr.raw, 'crypto'),
103 strings.icontains(.scan.ocr.raw, 'wallet address'),
104 regex.icontains(.scan.ocr.raw, '\$\d{3}\.\d{2}\b'),
105 )
106 // phone number regex
107 and regex.icontains(.scan.ocr.raw,
108 '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
109 '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
110 )
111
112 // negate messages with previous threads. While callback phishing with thread hijacking or with current_thread
113 // padded with whitespace and previous threads in the message has been observed, the intetion of using OCR is for image embedded callbacks
114 and not regex.icount(.scan.ocr.raw, '(?:from|to|sent|date|cc|subject):') > 3
115 // this notation of previous threads often only occurs once
116 and not regex.icontains(.scan.ocr.raw, 'wrote:[\r\n]')
117 )
118 )
119 )
120 // not high trust sender domains
121 and (
122 (
123 sender.email.domain.root_domain in $high_trust_sender_root_domains
124 and not headers.auth_summary.dmarc.pass
125 )
126 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
127 )
128 and not strings.ends_with(headers.message_id, "@shopify.com>")
129attack_types:
130 - "Callback Phishing"
131tactics_and_techniques:
132 - "Free email provider"
133 - "Impersonation: Brand"
134 - "Out of band pivot"
135 - "Social engineering"
136detection_methods:
137 - "File analysis"
138 - "Sender analysis"
139id: "10a3a446-c70f-5843-a4e4-4d815d33fcb1"