Callback Phishing via Adobe Sign comment
This rule inspects messages originating from legitimate Adobe Sign infrastructure, with content matching Callback Phishing criteria, in the body, requiring at least one brand name, as well as 3 matching Callback Phishing terms and a phone number.
Sublime rule (View on GitHub)
1name: "Callback Phishing via Adobe Sign comment"
2description: |
3 This rule inspects messages originating from legitimate Adobe Sign infrastructure, with content matching Callback Phishing criteria, in the body, requiring at least one brand name, as well as 3 matching Callback Phishing terms and a phone number.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and length(attachments) == 0
9 and (
10 not profile.by_sender().solicited
11 or (
12 profile.by_sender().any_messages_malicious_or_spam
13 and not profile.by_sender().any_false_positives
14 )
15 )
16 // Legitimate Docusign sending infratructure
17 and sender.email.domain.root_domain == 'adobesign.com'
18 and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
19
20 and (
21 // this section is synced with attachment_callback_phish_with_pdf.yml and attachment_callback_phish_with_img.yml
22 regex.icontains(strings.replace_confusables(body.current_thread.text),
23 '(p.{0,3}a.{0,3}y.{0,3}p.{0,3}a.{0,3}l|ma?c.?fee|n[o0]rt[o0]n|geek.{0,5}squad|ebay|symantec|best buy|lifel[o0]c|secure anywhere|starz|utilities premium|pc security|at&t)'
24 )
25 or any(ml.logo_detect(beta.message_screenshot()).brands,
26 .name in ("PayPal", "Norton", "GeekSquad", "Ebay", "McAfee", "AT&T")
27 )
28 )
29 and (
30 (
31 // this seciton is synced with attachment_callback_phish_with_img.yml and attachment_callback_phish_with_pdf.yml
32 // however, the 3 of logic and requiring a phone number is specific to this rule in order to reduce FPs
33 // caused by messages which mention cancelling or otherwise managing a subscription
34 // it is also synced and below for message_screenshot OCR output
35 3 of (
36 strings.icontains(body.current_thread.text, 'purchase'),
37 strings.icontains(body.current_thread.text, 'payment'),
38 strings.icontains(body.current_thread.text, 'transaction'),
39 strings.icontains(body.current_thread.text, 'subscription'),
40 strings.icontains(body.current_thread.text, 'antivirus'),
41 strings.icontains(body.current_thread.text, 'order'),
42 strings.icontains(body.current_thread.text, 'support'),
43 strings.icontains(body.current_thread.text, 'help line'),
44 strings.icontains(body.current_thread.text, 'receipt'),
45 strings.icontains(body.current_thread.text, 'invoice'),
46 strings.icontains(body.current_thread.text, 'call'),
47 strings.icontains(body.current_thread.text, 'cancel'),
48 strings.icontains(body.current_thread.text, 'renew'),
49 strings.icontains(body.current_thread.text, 'refund'),
50 regex.icontains(body.current_thread.text, "(?:reach|contact) us at"),
51 strings.icontains(body.current_thread.text, "+1"),
52 strings.icontains(body.current_thread.text, "amount"),
53 strings.icontains(body.current_thread.text, "charged"),
54 strings.icontains(body.current_thread.text, "crypto"),
55 strings.icontains(body.current_thread.text, "wallet address"),
56 regex.icontains(body.current_thread.text, '\$\d{3}\.\d{2}\b'),
57 )
58 // phone number regex
59 and regex.icontains(body.current_thread.text,
60 '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
61 '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
62 )
63 )
64 or (
65 any(file.explode(beta.message_screenshot()),
66 // this seciton is synced with attachment_callback_phish_with_img.yml and attachment_callback_phish_with_pdf.yml
67 // and above for current_thread.text
68 3 of (
69 strings.icontains(.scan.ocr.raw, 'purchase'),
70 strings.icontains(.scan.ocr.raw, 'payment'),
71 strings.icontains(.scan.ocr.raw, 'transaction'),
72 strings.icontains(.scan.ocr.raw, 'subscription'),
73 strings.icontains(.scan.ocr.raw, 'antivirus'),
74 strings.icontains(.scan.ocr.raw, 'order'),
75 strings.icontains(.scan.ocr.raw, 'support'),
76 strings.icontains(.scan.ocr.raw, 'help line'),
77 strings.icontains(.scan.ocr.raw, 'receipt'),
78 strings.icontains(.scan.ocr.raw, 'invoice'),
79 strings.icontains(.scan.ocr.raw, 'call'),
80 strings.icontains(.scan.ocr.raw, 'helpdesk'),
81 strings.icontains(.scan.ocr.raw, 'cancel'),
82 strings.icontains(.scan.ocr.raw, 'renew'),
83 strings.icontains(.scan.ocr.raw, 'refund'),
84 regex.icontains(.scan.ocr.raw, "(?:reach|contact) us at"),
85 strings.icontains(.scan.ocr.raw, '+1'),
86 strings.icontains(.scan.ocr.raw, 'amount'),
87 strings.icontains(.scan.ocr.raw, 'charged'),
88 strings.icontains(.scan.ocr.raw, 'crypto'),
89 strings.icontains(.scan.ocr.raw, 'wallet address'),
90 regex.icontains(.scan.ocr.raw, '\$\d{3}\.\d{2}\b'),
91 )
92 // phone number regex
93 and regex.icontains(.scan.ocr.raw,
94 '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
95 '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
96 )
97
98 // negate messages with previous threads. While callback phishing with thread hijacking or with current_thread
99 // padded with whitespace and previous threads in the message has been observed, the intetion of using OCR is for image embedded callbacks
100 and not regex.icount(.scan.ocr.raw, '(?:from|to|sent|date|cc|subject):') > 3
101 // this notation of previous threads often only occurs once
102 and not regex.icontains(.scan.ocr.raw, 'wrote:[\r\n]')
103 )
104 )
105 )
106attack_types:
107 - "Callback Phishing"
108tactics_and_techniques:
109 - "Evasion"
110 - "Impersonation: Brand"
111 - "Out of band pivot"
112 - "Social engineering"
113detection_methods:
114 - "Content analysis"
115 - "Computer Vision"
116 - "Header analysis"
117 - "Sender analysis"
118 - "URL analysis"
119id: "7eb4516d-f358-5c22-b527-34db0a532df9"