Callback Phishing solicitation in message body

A fraudulent invoice/receipt found in the body of the message. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Sublime rule (View on GitHub)

  1name: "Callback Phishing solicitation in message body"
  2description: |
  3  A fraudulent invoice/receipt found in the body of the message.
  4  Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. 
  5  The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.  
  6type: "rule"
  7severity: "medium"
  8source: |
  9  type.inbound
 10  and length(attachments) == 0
 11  and (
 12    not profile.by_sender().solicited
 13    or (
 14      profile.by_sender().any_messages_malicious_or_spam
 15      and not profile.by_sender().any_false_positives
 16    )
 17  )
 18  and (
 19    sender.email.domain.root_domain in $free_email_providers
 20    or sender.email.domain.tld in $suspicious_tlds
 21    or network.whois(sender.email.domain).found == false
 22    or headers.mailer in~ ("Microsoft CDO for Windows 2000")
 23  )
 24  and (
 25    strings.ilike(body.current_thread.text,
 26                  "*mcfee*",
 27                  "*mcafee*",
 28                  "*norton*",
 29                  "*geek*squad*",
 30                  "*paypal*",
 31                  "*ebay*",
 32                  "*symantec*",
 33                  "*best buy*",
 34                  "*lifelock*",
 35                  "*utilities premium*"
 36    )
 37    or any(ml.logo_detect(beta.message_screenshot()).brands,
 38           .name in ("PayPal", "Norton", "GeekSquad", "Ebay", "McAfee")
 39    )
 40  )
 41  and length(body.current_thread.text) < 1500
 42  and (
 43    (
 44      3 of (
 45        strings.ilike(body.current_thread.text, '*purchase*'),
 46        strings.ilike(body.current_thread.text, '*payment*'),
 47        strings.ilike(body.current_thread.text, '*transaction*'),
 48        strings.ilike(body.current_thread.text, '*subscription*'),
 49        strings.ilike(body.current_thread.text, '*antivirus*'),
 50        strings.ilike(body.current_thread.text, '*order*'),
 51        strings.ilike(body.current_thread.text, '*support*'),
 52        strings.ilike(body.current_thread.text, '*help line*'),
 53        strings.ilike(body.current_thread.text, '*receipt*'),
 54        strings.ilike(body.current_thread.text, '*invoice*'),
 55        strings.ilike(body.current_thread.text, '*call*'),
 56        strings.ilike(body.current_thread.text, '*cancel*'),
 57        strings.ilike(body.current_thread.text, '*renew*'),
 58        strings.ilike(body.current_thread.text, '*refund*'),
 59        strings.ilike(body.current_thread.text, "*contact us at*")
 60      )
 61      // phone number regex
 62      and (
 63        regex.icontains(body.current_thread.text,
 64                        '\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}'
 65        )
 66        or regex.icontains(body.current_thread.text,
 67                           '\+?(\d{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}\d{3}[\s\.\-⋅]{0,5}\d{4}'
 68        )
 69      )
 70    )
 71    or (
 72      any(file.explode(beta.message_screenshot()),
 73          3 of (
 74            strings.ilike(.scan.ocr.raw, '*purchase*'),
 75            strings.ilike(.scan.ocr.raw, '*payment*'),
 76            strings.ilike(.scan.ocr.raw, '*transaction*'),
 77            strings.ilike(.scan.ocr.raw, '*subscription*'),
 78            strings.ilike(.scan.ocr.raw, '*antivirus*'),
 79            strings.ilike(.scan.ocr.raw, '*order*'),
 80            strings.ilike(.scan.ocr.raw, '*support*'),
 81            strings.ilike(.scan.ocr.raw, '*help line*'),
 82            strings.ilike(.scan.ocr.raw, '*receipt*'),
 83            strings.ilike(.scan.ocr.raw, '*invoice*'),
 84            strings.ilike(.scan.ocr.raw, '*call*'),
 85            strings.ilike(.scan.ocr.raw, '*cancel*'),
 86            strings.ilike(.scan.ocr.raw, '*renew*'),
 87            strings.ilike(.scan.ocr.raw, '*refund*'),
 88            strings.ilike(.scan.ocr.raw, '*contact us at*')
 89          )
 90          // phone number regex
 91          and (
 92            regex.icontains(.scan.ocr.raw,
 93                            '\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}'
 94            )
 95            or regex.icontains(.scan.ocr.raw,
 96                               '\+?(\d{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}\d{3}[\s\.\-⋅]{0,5}\d{4}'
 97            )
 98          )
 99      )
100    )
101  )
102  and sender.email.domain.root_domain not in (
103    // paypal domain
104    "xoom.com"
105  )
106  and not strings.ends_with(headers.message_id, "@shopify.com>")  
107
108attack_types:
109  - "Callback Phishing"
110tactics_and_techniques:
111  - "Free email provider"
112  - "Impersonation: Brand"
113  - "Out of band pivot"
114  - "Social engineering"
115detection_methods:
116  - "File analysis"
117  - "Sender analysis"
118id: "10a3a446-c70f-5843-a4e4-4d815d33fcb1"
to-top