Callback Phishing solicitation in message body
A fraudulent invoice/receipt found in the body of the message. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
Sublime rule (View on GitHub)
1name: "Callback Phishing solicitation in message body"
2description: |
3 A fraudulent invoice/receipt found in the body of the message.
4 Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number.
5 The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10 and length(attachments) == 0
11 and (
12 not profile.by_sender().solicited
13 or (
14 profile.by_sender().any_messages_malicious_or_spam
15 and not profile.by_sender().any_false_positives
16 )
17 )
18 and (
19 sender.email.domain.root_domain in $free_email_providers
20 or beta.whois(sender.email.domain).found == false
21 )
22 and (
23 strings.ilike(body.current_thread.text,
24 "*mcafee*",
25 "*norton*",
26 "*geek*squad*",
27 "*paypal*",
28 "*ebay*",
29 "*symantec*",
30 "*best buy*",
31 "*lifelock*"
32 )
33 or any(ml.logo_detect(beta.message_screenshot()).brands,
34 .name in ("PayPal", "Norton", "GeekSquad", "Ebay", "McAfee")
35 )
36 )
37 and length(body.current_thread.text) < 1500
38 and (
39 (
40 3 of (
41 strings.ilike(body.current_thread.text, '*purchase*'),
42 strings.ilike(body.current_thread.text, '*payment*'),
43 strings.ilike(body.current_thread.text, '*transaction*'),
44 strings.ilike(body.current_thread.text, '*subscription*'),
45 strings.ilike(body.current_thread.text, '*antivirus*'),
46 strings.ilike(body.current_thread.text, '*order*'),
47 strings.ilike(body.current_thread.text, '*support*'),
48 strings.ilike(body.current_thread.text, '*help line*'),
49 strings.ilike(body.current_thread.text, '*receipt*'),
50 strings.ilike(body.current_thread.text, '*invoice*'),
51 strings.ilike(body.current_thread.text, '*call*'),
52 strings.ilike(body.current_thread.text, '*cancel*'),
53 strings.ilike(body.current_thread.text, '*renew*'),
54 strings.ilike(body.current_thread.text, '*refund*')
55 )
56 // phone number regex
57 and (
58 regex.icontains(body.current_thread.text,
59 '\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}'
60 )
61 or regex.icontains(body.current_thread.text,
62 '\+?(\d{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}\d{3}[\s\.\-⋅]{0,5}\d{4}'
63 )
64 )
65 )
66 or (
67 any(file.explode(beta.message_screenshot()),
68 3 of (
69 strings.ilike(.scan.ocr.raw, '*purchase*'),
70 strings.ilike(.scan.ocr.raw, '*payment*'),
71 strings.ilike(.scan.ocr.raw, '*transaction*'),
72 strings.ilike(.scan.ocr.raw, '*subscription*'),
73 strings.ilike(.scan.ocr.raw, '*antivirus*'),
74 strings.ilike(.scan.ocr.raw, '*order*'),
75 strings.ilike(.scan.ocr.raw, '*support*'),
76 strings.ilike(.scan.ocr.raw, '*help line*'),
77 strings.ilike(.scan.ocr.raw, '*receipt*'),
78 strings.ilike(.scan.ocr.raw, '*invoice*'),
79 strings.ilike(.scan.ocr.raw, '*call*'),
80 strings.ilike(.scan.ocr.raw, '*cancel*'),
81 strings.ilike(.scan.ocr.raw, '*renew*'),
82 strings.ilike(.scan.ocr.raw, '*refund*')
83 )
84 // phone number regex
85 and (
86 regex.icontains(.scan.ocr.raw,
87 '\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}'
88 )
89 or regex.icontains(.scan.ocr.raw,
90 '\+?(\d{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}\d{3}[\s\.\-⋅]{0,5}\d{4}'
91 )
92 )
93 )
94 )
95 )
96 and sender.email.domain.root_domain not in (
97 // paypal domain
98 "xoom.com"
99 )
100 and not strings.ends_with(headers.message_id, "@shopify.com>")
101
102attack_types:
103 - "Callback Phishing"
104tactics_and_techniques:
105 - "Free email provider"
106 - "Impersonation: Brand"
107 - "Out of band pivot"
108 - "Social engineering"
109detection_methods:
110 - "File analysis"
111 - "Sender analysis"
112id: "10a3a446-c70f-5843-a4e4-4d815d33fcb1"