Callback Phishing solicitation in message body

calendar Aug 7, 2024  ·
Share on: linkedin copy

A fraudulent invoice/receipt found in the body of the message. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Sublime rule (View on GitHub)

  1name: "Callback Phishing solicitation in message body"
  2description: |
  3  A fraudulent invoice/receipt found in the body of the message.
  4  Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. 
  5  The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.  
  6type: "rule"
  7severity: "medium"
  8source: |
  9  type.inbound
 10  and length(attachments) == 0
 11  and (
 12    not profile.by_sender().solicited
 13    or (
 14      profile.by_sender().any_messages_malicious_or_spam
 15      and not profile.by_sender().any_false_positives
 16    )
 17  )
 18  and (
 19    sender.email.domain.root_domain in $free_email_providers
 20    or sender.email.domain.tld in $suspicious_tlds
 21    or network.whois(sender.email.domain).found == false
 22    or headers.mailer in~ ("Microsoft CDO for Windows 2000")
 23    or (
 24      length(recipients.to) == 1
 25      and all(recipients.to, .email.domain.domain not in $org_domains)
 26    )
 27  )
 28  and (
 29    strings.ilike(body.current_thread.text,
 30                  "*mcfee*",
 31                  "*mcafee*",
 32                  "*norton*",
 33                  "*geek*squad*",
 34                  "*paypal*",
 35                  "*ebay*",
 36                  "*symantec*",
 37                  "*best buy*",
 38                  "*lifelock*",
 39                  "*utilities premium*",
 40                  "*pc security*"
 41    )
 42    or regex.icontains(body.current_thread.text, "pay.{0,10}pal")
 43    or any(ml.logo_detect(beta.message_screenshot()).brands,
 44           .name in ("PayPal", "Norton", "GeekSquad", "Ebay", "McAfee")
 45    )
 46  )
 47  and length(body.current_thread.text) < 1750
 48  and (
 49    (
 50      3 of (
 51        strings.ilike(body.current_thread.text, '*purchase*'),
 52        strings.ilike(body.current_thread.text, '*payment*'),
 53        strings.ilike(body.current_thread.text, '*transaction*'),
 54        strings.ilike(body.current_thread.text, '*subscription*'),
 55        strings.ilike(body.current_thread.text, '*antivirus*'),
 56        strings.ilike(body.current_thread.text, '*order*'),
 57        strings.ilike(body.current_thread.text, '*support*'),
 58        strings.ilike(body.current_thread.text, '*help line*'),
 59        strings.ilike(body.current_thread.text, '*receipt*'),
 60        strings.ilike(body.current_thread.text, '*invoice*'),
 61        strings.ilike(body.current_thread.text, '*call*'),
 62        strings.ilike(body.current_thread.text, '*cancel*'),
 63        strings.ilike(body.current_thread.text, '*renew*'),
 64        strings.ilike(body.current_thread.text, '*refund*'),
 65        strings.ilike(body.current_thread.text, "*contact us at*")
 66      )
 67      // phone number regex
 68      and (
 69        regex.icontains(body.current_thread.text,
 70                        '\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}'
 71        )
 72        or regex.icontains(body.current_thread.text,
 73                           '\+?(\d{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}\d{3}[\s\.\-⋅]{0,5}\d{4}'
 74        )
 75      )
 76    )
 77    or (
 78      any(file.explode(beta.message_screenshot()),
 79          3 of (
 80            strings.ilike(.scan.ocr.raw, '*purchase*'),
 81            strings.ilike(.scan.ocr.raw, '*payment*'),
 82            strings.ilike(.scan.ocr.raw, '*transaction*'),
 83            strings.ilike(.scan.ocr.raw, '*subscription*'),
 84            strings.ilike(.scan.ocr.raw, '*antivirus*'),
 85            strings.ilike(.scan.ocr.raw, '*order*'),
 86            strings.ilike(.scan.ocr.raw, '*support*'),
 87            strings.ilike(.scan.ocr.raw, '*help line*'),
 88            strings.ilike(.scan.ocr.raw, '*receipt*'),
 89            strings.ilike(.scan.ocr.raw, '*invoice*'),
 90            strings.ilike(.scan.ocr.raw, '*call*'),
 91            strings.ilike(.scan.ocr.raw, '*cancel*'),
 92            strings.ilike(.scan.ocr.raw, '*renew*'),
 93            strings.ilike(.scan.ocr.raw, '*refund*'),
 94            strings.ilike(.scan.ocr.raw, '*contact us at*')
 95          )
 96          // phone number regex
 97          and (
 98            regex.icontains(.scan.ocr.raw,
 99                            '\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}'
100            )
101            or regex.icontains(.scan.ocr.raw,
102                               '\+?(\d{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}\d{3}[\s\.\-⋅]{0,5}\d{4}'
103            )
104          )
105      )
106    )
107  )
108  // not high trust sender domains
109  and (
110    (
111      sender.email.domain.root_domain in $high_trust_sender_root_domains
112      and not headers.auth_summary.dmarc.pass
113    )
114    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
115  )
116  and not strings.ends_with(headers.message_id, "@shopify.com>")  
117
118attack_types:
119  - "Callback Phishing"
120tactics_and_techniques:
121  - "Free email provider"
122  - "Impersonation: Brand"
123  - "Out of band pivot"
124  - "Social engineering"
125detection_methods:
126  - "File analysis"
127  - "Sender analysis"
128id: "10a3a446-c70f-5843-a4e4-4d815d33fcb1"
to-top