Callback phishing: AOL senders with suspicious HTML template or PDF attachment
Detects a specific behavioral pattern from AOL senders using consistent HTML templates and PDF attachment characteristics. The pattern includes particular Yahoo-style formatting with specific font families, and standardized PDF metadata when attachments are present.
Sublime rule (View on GitHub)
1name: "Callback phishing: AOL senders with suspicious HTML template or PDF attachment"
2description: "Detects a specific behavioral pattern from AOL senders using consistent HTML templates and PDF attachment characteristics. The pattern includes particular Yahoo-style formatting with specific font families, and standardized PDF metadata when attachments are present."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 // sender is aol
8 and sender.email.domain.root_domain == "aol.com"
9
10 // there is a single recipient
11 and length(recipients.to) == 1
12 and length(recipients.cc) == 0
13 and length(recipients.bcc) == 0
14
15 // is not a reply
16 and headers.in_reply_to is null
17
18 // this is another way to limit replies but need to account for
19 // a behavior where Yahoo/Aol seems to include it's own message ID as a reference
20 and length(headers.references) == 1
21
22 // all message-id values end in mail.yahoo.com, some benign messages use @aol.com
23 and strings.iends_with(headers.message_id, '@mail.yahoo.com>')
24
25 // All are using the legit Yahoo X-Mailer
26 // this removes AOL sent from iphones and other non AOL client
27 and strings.ends_with(headers.mailer, 'AolMailNorrin')
28
29 // exclude common recipients which interact with aol addresses that are commonly (but not always) benign
30 // recipeint exclusions are suggested for other recipients
31 and (
32 // no attachment
33 (
34 length(attachments) == 0
35 // if there are no attachments focus on the HTML template being observed
36 and (
37
38 // yahoo div followed by <br>
39 // // verdana, helvetica, sans-serif;
40 strings.icontains(body.html.raw,
41 "<div class=\"yahoo-style-wrap\" style=\"font-family:verdana, helvetica, sans-serif;font-size:18px;\">\r\n<div dir=\"ltr\" data-setdir=\"false\"><br>\r\n"
42 )
43 // // Helvetica Neue, Helvetica, Arial, sans-serif;
44 or strings.icontains(body.html.raw,
45 "<div class=\"yahoo-style-wrap\" style=\"font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:18px;\">\r\n<div dir=\"ltr\" data-setdir=\"false\"><br>\r\n"
46 )
47 // yahoo div followed by doctype
48 // // verdana, helvetica, sans-serif;
49 or strings.icontains(body.html.raw,
50 "<div class=\"yahoo-style-wrap\" style=\"font-family:verdana, helvetica, sans-serif;font-size:18px;\">\r\n<div dir=\"ltr\" data-setdir=\"false\"><!DOCTYPE html>"
51 )
52 // // Helvetica Neue, Helvetica, Arial, sans-serif;
53 or strings.icontains(body.html.raw,
54 "<div class=\"yahoo-style-wrap\" style=\"font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:18px;\">\r\n<div dir=\"ltr\" data-setdir=\"false\"><!DOCTYPE html>"
55 )
56 )
57 )
58 or (
59 // if there is an attachment, there can be only one
60 length(attachments) == 1
61 and all(attachments,
62 // it's a PDF,
63 .file_type == "pdf"
64 and (
65 // static content_id value for the attachments
66 (
67 .content_id == '<@yahoo.com>' or .content_id == '@yahoo.com'
68 )
69 // created by observed static PDF details
70 or (
71
72 //
73 // This rule makes use of a beta feature and is subject to change without notice
74 // using the beta feature in custom rules is not suggested until it has been formally released
75 //
76 beta.parse_exif(.).creator == "wkhtmltopdf 0.12.6"
77 and beta.parse_exif(.).title is null
78 and beta.parse_exif(.).producer == 'Qt 4.8.7'
79 )
80 )
81 )
82 )
83 )
84attack_types:
85 - "Callback Phishing"
86tactics_and_techniques:
87 - "Free email provider"
88 - "Social engineering"
89detection_methods:
90 - "Content analysis"
91 - "Header analysis"
92 - "File analysis"
93 - "HTML analysis"
94 - "Exif analysis"
95 - "Sender analysis"
96id: "f6044eed-ec4b-5959-a4d6-60aa6a8ca76b"