Body: Callback Phishing solicitation
A fraudulent invoice/receipt found in the body of the message. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
Sublime rule (View on GitHub)
1name: "Body: Callback Phishing solicitation"
2description: |
3 A fraudulent invoice/receipt found in the body of the message.
4 Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number.
5 The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10 and length(attachments) == 0
11 and (
12 (
13 sender.email.domain.root_domain in $free_email_providers
14 and sender.email.email not in $recipient_emails
15 )
16 or (
17 sender.email.domain.root_domain not in $free_email_providers
18 and sender.email.domain.domain not in $recipient_domains
19 )
20 )
21 and sender.email.domain.root_domain in $free_email_providers
22 and strings.ilike(body.current_thread.text,
23 "*mcafee*",
24 "*norton*",
25 "*geek squad*",
26 "*paypal*",
27 "*ebay*",
28 "*symantec*",
29 "*best buy*",
30 "*lifelock*"
31 )
32 and length(body.current_thread.text) < 1500
33 and 3 of (
34 strings.ilike(body.current_thread.text, '*purchase*'),
35 strings.ilike(body.current_thread.text, '*payment*'),
36 strings.ilike(body.current_thread.text, '*transaction*'),
37 strings.ilike(body.current_thread.text, '*subscription*'),
38 strings.ilike(body.current_thread.text, '*antivirus*'),
39 strings.ilike(body.current_thread.text, '*order*'),
40 strings.ilike(body.current_thread.text, '*support*'),
41 strings.ilike(body.current_thread.text, '*help line*'),
42 strings.ilike(body.current_thread.text, '*receipt*'),
43 strings.ilike(body.current_thread.text, '*invoice*'),
44 strings.ilike(body.current_thread.text, '*call*'),
45 strings.ilike(body.current_thread.text, '*cancel*'),
46 strings.ilike(body.current_thread.text, '*renew*'),
47 strings.ilike(body.current_thread.text, '*refund*')
48 )
49 // phone number regex
50 and regex.icontains(body.current_thread.text, '\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}')
51 and sender.email.domain.root_domain not in (
52 // paypal domain
53 "xoom.com"
54 )
55 and not strings.ends_with(headers.message_id, "@shopify.com>")
56attack_types:
57 - "Callback Phishing"
58tactics_and_techniques:
59 - "Free email provider"
60 - "Impersonation: Brand"
61 - "Out of band pivot"
62 - "Social engineering"
63detection_methods:
64 - "File analysis"
65 - "Sender analysis"
66id: "10a3a446-c70f-5843-a4e4-4d815d33fcb1"