Callback Phishing: AOL Senders with Suspicious HTML Template or PDF Attachment

calendar Apr 28, 2025  ·
Share on: linkedin copy

Detects a specific behavioral pattern from AOL senders using consistent HTML templates and PDF attachment characteristics. The pattern includes particular Yahoo-style formatting with specific font families, and standardized PDF metadata when attachments are present.

Sublime rule (View on GitHub)

  1name: "Callback Phishing: AOL Senders with Suspicious HTML Template or PDF Attachment"
  2description: "Detects a specific behavioral pattern from AOL senders using consistent HTML templates and PDF attachment characteristics. The pattern includes particular Yahoo-style formatting with specific font families, and standardized PDF metadata when attachments are present."
  3type: "rule"
  4severity: "high"
  5source: |
  6  type.inbound
  7  // sender is aol
  8  and sender.email.domain.root_domain == "aol.com"
  9
 10  // with no restored/benign messages
 11  and not profile.by_sender_email().any_messages_benign
 12  
 13  // there is a single recipient
 14  and length(recipients.to) == 1
 15  and length(recipients.cc) == 0
 16  and length(recipients.bcc) == 0
 17  
 18  // is not a reply
 19  and headers.in_reply_to is null
 20  
 21  // this is another way to limit replies but need to account for 
 22  // a behavior where Yahoo/Aol seems to include it's own message ID as a reference
 23  and length(headers.references) == 1
 24  
 25  // all message-id values end in mail.yahoo.com, some benign messages use @aol.com
 26  and strings.iends_with(headers.message_id, '@mail.yahoo.com>')
 27  
 28  // All are using the legit Yahoo X-Mailer
 29  // this removes AOL sent from iphones and other non AOL client
 30  and strings.ends_with(headers.mailer, 'AolMailNorrin')
 31  
 32  // exclude common recipients which interact with aol addresses that are commonly (but not always) benign 
 33  // recipeint exclusions are suggested for other recipients
 34  and (
 35    // no attachment
 36    (
 37      length(attachments) == 0
 38      // if there are no attachments focus on the HTML template being observed
 39      and (
 40  
 41        // yahoo div followed by <br>
 42        // // verdana, helvetica, sans-serif;
 43        strings.icontains(body.html.raw,
 44                          "<div class=\"yahoo-style-wrap\" style=\"font-family:verdana, helvetica, sans-serif;font-size:18px;\">\r\n<div dir=\"ltr\" data-setdir=\"false\"><br>\r\n"
 45        )
 46        // // Helvetica Neue, Helvetica, Arial, sans-serif;
 47        or strings.icontains(body.html.raw,
 48                             "<div class=\"yahoo-style-wrap\" style=\"font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:18px;\">\r\n<div dir=\"ltr\" data-setdir=\"false\"><br>\r\n"
 49        )
 50        // yahoo div followed by doctype 
 51        // // verdana, helvetica, sans-serif;
 52        or strings.icontains(body.html.raw,
 53                             "<div class=\"yahoo-style-wrap\" style=\"font-family:verdana, helvetica, sans-serif;font-size:18px;\">\r\n<div dir=\"ltr\" data-setdir=\"false\"><!DOCTYPE html>"
 54        )
 55        // // Helvetica Neue, Helvetica, Arial, sans-serif;
 56        or strings.icontains(body.html.raw,
 57                             "<div class=\"yahoo-style-wrap\" style=\"font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:18px;\">\r\n<div dir=\"ltr\" data-setdir=\"false\"><!DOCTYPE html>"
 58        )
 59      )
 60    )
 61    or (
 62      // if there is an attachment, there can be only one
 63      length(attachments) == 1
 64      and all(attachments,
 65              // it's a PDF, 
 66              .file_type == "pdf"
 67              and (
 68                // static content_id value for the attachments
 69                .content_id == '<@yahoo.com>'
 70                // created by observed static PDF details
 71                or (
 72                    
 73                    // 
 74                    // This rule makes use of a beta feature and is subject to change without notice
 75                    // using the beta feature in custom rules is not suggested until it has been formally released
 76                    // 
 77
 78                    beta.parse_exif(.).creator == "wkhtmltopdf 0.12.6"
 79                    and beta.parse_exif(.).title is null
 80                    and beta.parse_exif(.).producer == 'Qt 4.8.7'
 81                )
 82                // filename contains a single
 83                or regex.contains(.file_name,
 84                                  '^(?:[A-Z][a-z]+)+_[A-Z0-9]{8,9}\.pdf$'
 85                )
 86              )
 87      )
 88    )
 89  )  
 90
 91attack_types:
 92  - "Callback Phishing"
 93tactics_and_techniques:
 94  - "Free email provider"
 95  - "Social engineering"
 96detection_methods:
 97  - "Content analysis"
 98  - "Header analysis"
 99  - "File analysis"
100  - "HTML analysis"
101  - "Exif analysis"
102  - "Sender analysis"
103id: "f6044eed-ec4b-5959-a4d6-60aa6a8ca76b"
to-top