Callback Phishing solicitation in message body

A fraudulent invoice/receipt found in the body of the message. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Sublime rule (View on GitHub)

  1name: "Callback Phishing solicitation in message body"
  2description: |
  3  A fraudulent invoice/receipt found in the body of the message.
  4  Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. 
  5  The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.  
  6type: "rule"
  7severity: "medium"
  8source: |
  9  type.inbound
 10  and length(attachments) == 0
 11  and (
 12    not profile.by_sender().solicited
 13    or (
 14      profile.by_sender().any_messages_malicious_or_spam
 15      and not profile.by_sender().any_false_positives
 16    )
 17  )
 18  and (
 19    sender.email.domain.root_domain in $free_email_providers
 20    or beta.whois(sender.email.domain).found == false
 21  )
 22  and (
 23    strings.ilike(body.current_thread.text,
 24                  "*mcafee*",
 25                  "*norton*",
 26                  "*geek*squad*",
 27                  "*paypal*",
 28                  "*ebay*",
 29                  "*symantec*",
 30                  "*best buy*",
 31                  "*lifelock*"
 32    )
 33    or any(ml.logo_detect(beta.message_screenshot()).brands,
 34           .name in ("PayPal", "Norton", "GeekSquad", "Ebay", "McAfee")
 35    )
 36  )
 37  and length(body.current_thread.text) < 1500
 38  and (
 39    (
 40      3 of (
 41        strings.ilike(body.current_thread.text, '*purchase*'),
 42        strings.ilike(body.current_thread.text, '*payment*'),
 43        strings.ilike(body.current_thread.text, '*transaction*'),
 44        strings.ilike(body.current_thread.text, '*subscription*'),
 45        strings.ilike(body.current_thread.text, '*antivirus*'),
 46        strings.ilike(body.current_thread.text, '*order*'),
 47        strings.ilike(body.current_thread.text, '*support*'),
 48        strings.ilike(body.current_thread.text, '*help line*'),
 49        strings.ilike(body.current_thread.text, '*receipt*'),
 50        strings.ilike(body.current_thread.text, '*invoice*'),
 51        strings.ilike(body.current_thread.text, '*call*'),
 52        strings.ilike(body.current_thread.text, '*cancel*'),
 53        strings.ilike(body.current_thread.text, '*renew*'),
 54        strings.ilike(body.current_thread.text, '*refund*')
 55      )
 56      // phone number regex
 57      and (
 58        regex.icontains(body.current_thread.text,
 59                        '\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}'
 60        )
 61        or regex.icontains(body.current_thread.text,
 62                           '\+?(\d{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}\d{3}[\s\.\-⋅]{0,5}\d{4}'
 63        )
 64      )
 65    )
 66    or (
 67      any(file.explode(beta.message_screenshot()),
 68          3 of (
 69            strings.ilike(.scan.ocr.raw, '*purchase*'),
 70            strings.ilike(.scan.ocr.raw, '*payment*'),
 71            strings.ilike(.scan.ocr.raw, '*transaction*'),
 72            strings.ilike(.scan.ocr.raw, '*subscription*'),
 73            strings.ilike(.scan.ocr.raw, '*antivirus*'),
 74            strings.ilike(.scan.ocr.raw, '*order*'),
 75            strings.ilike(.scan.ocr.raw, '*support*'),
 76            strings.ilike(.scan.ocr.raw, '*help line*'),
 77            strings.ilike(.scan.ocr.raw, '*receipt*'),
 78            strings.ilike(.scan.ocr.raw, '*invoice*'),
 79            strings.ilike(.scan.ocr.raw, '*call*'),
 80            strings.ilike(.scan.ocr.raw, '*cancel*'),
 81            strings.ilike(.scan.ocr.raw, '*renew*'),
 82            strings.ilike(.scan.ocr.raw, '*refund*')
 83          )
 84          // phone number regex
 85          and (
 86            regex.icontains(.scan.ocr.raw,
 87                            '\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}'
 88            )
 89            or regex.icontains(.scan.ocr.raw,
 90                               '\+?(\d{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}\d{3}[\s\.\-⋅]{0,5}\d{4}'
 91            )
 92          )
 93      )
 94    )
 95  )
 96  and sender.email.domain.root_domain not in (
 97    // paypal domain
 98    "xoom.com"
 99  )
100  and not strings.ends_with(headers.message_id, "@shopify.com>")  
101
102attack_types:
103  - "Callback Phishing"
104tactics_and_techniques:
105  - "Free email provider"
106  - "Impersonation: Brand"
107  - "Out of band pivot"
108  - "Social engineering"
109detection_methods:
110  - "File analysis"
111  - "Sender analysis"
112id: "10a3a446-c70f-5843-a4e4-4d815d33fcb1"
to-top