Callback phishing: AOL senders with suspicious HTML template or PDF attachment

calendar Jan 12, 2026  ·
Share on: linkedin copy

Detects a specific behavioral pattern from AOL senders using consistent HTML templates and PDF attachment characteristics. The pattern includes particular Yahoo-style formatting with specific font families, and standardized PDF metadata when attachments are present.

Sublime rule (View on GitHub)

 1name: "Callback phishing: AOL senders with suspicious HTML template or PDF attachment"
 2description: "Detects a specific behavioral pattern from AOL senders using consistent HTML templates and PDF attachment characteristics. The pattern includes particular Yahoo-style formatting with specific font families, and standardized PDF metadata when attachments are present."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  // sender is aol
 8  and sender.email.domain.root_domain == "aol.com"
 9  
10  // with no restored/benign messages
11  and not profile.by_sender_email().any_messages_benign
12  
13  // there is a single recipient
14  and length(recipients.to) == 1
15  and length(recipients.cc) == 0
16  and length(recipients.bcc) == 0
17  
18  // is not a reply
19  and headers.in_reply_to is null
20  
21  // this is another way to limit replies but need to account for 
22  // a behavior where Yahoo/Aol seems to include it's own message ID as a reference
23  and length(headers.references) == 1
24  
25  // all message-id values end in mail.yahoo.com, some benign messages use @aol.com
26  and strings.iends_with(headers.message_id, '@mail.yahoo.com>')
27  
28  // All are using the legit Yahoo X-Mailer
29  // this removes AOL sent from iphones and other non AOL client
30  and strings.ends_with(headers.mailer, 'AolMailNorrin')
31  
32  // exclude common recipients which interact with aol addresses that are commonly (but not always) benign 
33  // recipeint exclusions are suggested for other recipients
34  and (
35    // no attachment
36    (
37      length(attachments) == 0
38      // if there are no attachments focus on the HTML template being observed
39      and (
40  
41        // yahoo div followed by <br>
42        // // verdana, helvetica, sans-serif;
43        strings.icontains(body.html.raw,
44                          "<div class=\"yahoo-style-wrap\" style=\"font-family:verdana, helvetica, sans-serif;font-size:18px;\">\r\n<div dir=\"ltr\" data-setdir=\"false\"><br>\r\n"
45        )
46        // // Helvetica Neue, Helvetica, Arial, sans-serif;
47        or strings.icontains(body.html.raw,
48                             "<div class=\"yahoo-style-wrap\" style=\"font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:18px;\">\r\n<div dir=\"ltr\" data-setdir=\"false\"><br>\r\n"
49        )
50        // yahoo div followed by doctype 
51        // // verdana, helvetica, sans-serif;
52        or strings.icontains(body.html.raw,
53                             "<div class=\"yahoo-style-wrap\" style=\"font-family:verdana, helvetica, sans-serif;font-size:18px;\">\r\n<div dir=\"ltr\" data-setdir=\"false\"><!DOCTYPE html>"
54        )
55        // // Helvetica Neue, Helvetica, Arial, sans-serif;
56        or strings.icontains(body.html.raw,
57                             "<div class=\"yahoo-style-wrap\" style=\"font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:18px;\">\r\n<div dir=\"ltr\" data-setdir=\"false\"><!DOCTYPE html>"
58        )
59      )
60    )
61    or (
62      // if there is an attachment, there can be only one
63      length(attachments) == 1
64      and all(attachments,
65              // it's a PDF, 
66              .file_type == "pdf"
67              and (
68                // static content_id value for the attachments
69                (
70                  .content_id == '<@yahoo.com>' or .content_id == '@yahoo.com'
71                )
72                // created by observed static PDF details
73                or (
74  
75                  // 
76                  // This rule makes use of a beta feature and is subject to change without notice
77                  // using the beta feature in custom rules is not suggested until it has been formally released
78                  // 
79                  beta.parse_exif(.).creator == "wkhtmltopdf 0.12.6"
80                  and beta.parse_exif(.).title is null
81                  and beta.parse_exif(.).producer == 'Qt 4.8.7'
82                )
83              )
84      )
85    )
86  )  
87attack_types:
88  - "Callback Phishing"
89tactics_and_techniques:
90  - "Free email provider"
91  - "Social engineering"
92detection_methods:
93  - "Content analysis"
94  - "Header analysis"
95  - "File analysis"
96  - "HTML analysis"
97  - "Exif analysis"
98  - "Sender analysis"
99id: "f6044eed-ec4b-5959-a4d6-60aa6a8ca76b"
to-top