Body: Callback Phishing solicitation

A fraudulent invoice/receipt found in the body of the message. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Sublime rule (View on GitHub)

 1name: "Body: Callback Phishing solicitation"
 2description: |
 3  A fraudulent invoice/receipt found in the body of the message.
 4  Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. 
 5  The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.  
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and length(attachments) == 0
11  and (
12    (
13      sender.email.domain.root_domain in $free_email_providers
14      and sender.email.email not in $recipient_emails
15    )
16    or (
17      sender.email.domain.root_domain not in $free_email_providers
18      and sender.email.domain.domain not in $recipient_domains
19    )
20  )
21  and sender.email.domain.root_domain in $free_email_providers
22  and strings.ilike(body.current_thread.text,
23                    "*mcafee*",
24                    "*norton*",
25                    "*geek squad*",
26                    "*paypal*",
27                    "*ebay*",
28                    "*symantec*",
29                    "*best buy*",
30                    "*lifelock*"
31  )
32  and length(body.current_thread.text) < 1500
33  and 3 of (
34    strings.ilike(body.current_thread.text, '*purchase*'),
35    strings.ilike(body.current_thread.text, '*payment*'),
36    strings.ilike(body.current_thread.text, '*transaction*'),
37    strings.ilike(body.current_thread.text, '*subscription*'),
38    strings.ilike(body.current_thread.text, '*antivirus*'),
39    strings.ilike(body.current_thread.text, '*order*'),
40    strings.ilike(body.current_thread.text, '*support*'),
41    strings.ilike(body.current_thread.text, '*help line*'),
42    strings.ilike(body.current_thread.text, '*receipt*'),
43    strings.ilike(body.current_thread.text, '*invoice*'),
44    strings.ilike(body.current_thread.text, '*call*'),
45    strings.ilike(body.current_thread.text, '*cancel*'),
46    strings.ilike(body.current_thread.text, '*renew*'),
47    strings.ilike(body.current_thread.text, '*refund*')
48  )
49  // phone number regex
50  and regex.icontains(body.current_thread.text, '\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}')
51  and sender.email.domain.root_domain not in (
52    // paypal domain
53    "xoom.com"
54  )
55  and not strings.ends_with(headers.message_id, "@shopify.com>")  
56attack_types:
57  - "Callback Phishing"
58tactics_and_techniques:
59  - "Free email provider"
60  - "Impersonation: Brand"
61  - "Out of band pivot"
62  - "Social engineering"
63detection_methods:
64  - "File analysis"
65  - "Sender analysis"
66id: "10a3a446-c70f-5843-a4e4-4d815d33fcb1"
to-top