Callback phishing: AOL senders with suspicious HTML template or PDF attachment
Detects a specific behavioral pattern from AOL senders using consistent HTML templates and PDF attachment characteristics. The pattern includes particular Yahoo-style formatting with specific font families, and standardized PDF metadata when attachments are present.
Sublime rule (View on GitHub)
1name: "Callback phishing: AOL senders with suspicious HTML template or PDF attachment"
2description: "Detects a specific behavioral pattern from AOL senders using consistent HTML templates and PDF attachment characteristics. The pattern includes particular Yahoo-style formatting with specific font families, and standardized PDF metadata when attachments are present."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 // sender is aol
8 and sender.email.domain.root_domain == "aol.com"
9
10 // with no restored/benign messages
11 and not profile.by_sender_email().any_messages_benign
12
13 // there is a single recipient
14 and length(recipients.to) == 1
15 and length(recipients.cc) == 0
16 and length(recipients.bcc) == 0
17
18 // is not a reply
19 and headers.in_reply_to is null
20
21 // this is another way to limit replies but need to account for
22 // a behavior where Yahoo/Aol seems to include it's own message ID as a reference
23 and length(headers.references) == 1
24
25 // all message-id values end in mail.yahoo.com, some benign messages use @aol.com
26 and strings.iends_with(headers.message_id, '@mail.yahoo.com>')
27
28 // All are using the legit Yahoo X-Mailer
29 // this removes AOL sent from iphones and other non AOL client
30 and strings.ends_with(headers.mailer, 'AolMailNorrin')
31
32 // exclude common recipients which interact with aol addresses that are commonly (but not always) benign
33 // recipeint exclusions are suggested for other recipients
34 and (
35 // no attachment
36 (
37 length(attachments) == 0
38 // if there are no attachments focus on the HTML template being observed
39 and (
40
41 // yahoo div followed by <br>
42 // // verdana, helvetica, sans-serif;
43 strings.icontains(body.html.raw,
44 "<div class=\"yahoo-style-wrap\" style=\"font-family:verdana, helvetica, sans-serif;font-size:18px;\">\r\n<div dir=\"ltr\" data-setdir=\"false\"><br>\r\n"
45 )
46 // // Helvetica Neue, Helvetica, Arial, sans-serif;
47 or strings.icontains(body.html.raw,
48 "<div class=\"yahoo-style-wrap\" style=\"font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:18px;\">\r\n<div dir=\"ltr\" data-setdir=\"false\"><br>\r\n"
49 )
50 // yahoo div followed by doctype
51 // // verdana, helvetica, sans-serif;
52 or strings.icontains(body.html.raw,
53 "<div class=\"yahoo-style-wrap\" style=\"font-family:verdana, helvetica, sans-serif;font-size:18px;\">\r\n<div dir=\"ltr\" data-setdir=\"false\"><!DOCTYPE html>"
54 )
55 // // Helvetica Neue, Helvetica, Arial, sans-serif;
56 or strings.icontains(body.html.raw,
57 "<div class=\"yahoo-style-wrap\" style=\"font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:18px;\">\r\n<div dir=\"ltr\" data-setdir=\"false\"><!DOCTYPE html>"
58 )
59 )
60 )
61 or (
62 // if there is an attachment, there can be only one
63 length(attachments) == 1
64 and all(attachments,
65 // it's a PDF,
66 .file_type == "pdf"
67 and (
68 // static content_id value for the attachments
69 (
70 .content_id == '<@yahoo.com>'
71 or .content_id == '@yahoo.com'
72 )
73 // created by observed static PDF details
74 or (
75
76 //
77 // This rule makes use of a beta feature and is subject to change without notice
78 // using the beta feature in custom rules is not suggested until it has been formally released
79 //
80
81 beta.parse_exif(.).creator == "wkhtmltopdf 0.12.6"
82 and beta.parse_exif(.).title is null
83 and beta.parse_exif(.).producer == 'Qt 4.8.7'
84 )
85 )
86 )
87 )
88 )
89
90attack_types:
91 - "Callback Phishing"
92tactics_and_techniques:
93 - "Free email provider"
94 - "Social engineering"
95detection_methods:
96 - "Content analysis"
97 - "Header analysis"
98 - "File analysis"
99 - "HTML analysis"
100 - "Exif analysis"
101 - "Sender analysis"
102id: "f6044eed-ec4b-5959-a4d6-60aa6a8ca76b"