Callback Phishing via Adobe Sign comment
This rule inspects messages originating from legitimate Adobe Sign infrastructure, with content matching Callback Phishing criteria, in the body, requiring at least one brand name, as well as 3 matching Callback Phishing terms and a phone number.
Sublime rule (View on GitHub)
1name: "Callback Phishing via Adobe Sign comment"
2description: |
3 This rule inspects messages originating from legitimate Adobe Sign infrastructure, with content matching Callback Phishing criteria, in the body, requiring at least one brand name, as well as 3 matching Callback Phishing terms and a phone number.
4type: "rule"
5severity: "high"
6source: |
7 type.inbound
8 and length(attachments) == 0
9 and (
10 not profile.by_sender().solicited
11 or (
12 profile.by_sender().any_messages_malicious_or_spam
13 and not profile.by_sender().any_false_positives
14 )
15 )
16 // Legitimate Docusign sending infratructure
17 and sender.email.domain.root_domain == 'adobesign.com'
18 and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
19
20 and (
21 // this section is synced with attachment_callback_phish_with_pdf.yml and attachment_callback_phish_with_img.yml
22 regex.icontains(strings.replace_confusables(body.current_thread.text),
23 '(p.{0,3}a.{0,3}y.{0,3}p.{0,3}a.{0,3}l|ma?c.?fee|n[o0]rt[o0]n|geek.{0,5}squad|ebay|symantec|best buy|lifel[o0]c|secure anywhere|starz|utilities premium|pc security|at&t)'
24 )
25 or any(ml.logo_detect(beta.message_screenshot()).brands,
26 .name in ("PayPal", "Norton", "GeekSquad", "Ebay", "McAfee", "AT&T")
27 )
28 )
29 and length(body.current_thread.text) < 1750
30 and (
31 (
32 // this seciton is synced with attachment_callback_phish_with_img.yml and attachment_callback_phish_with_pdf.yml
33 // however, the 3 of logic and requiring a phone number is specific to this rule in order to reduce FPs
34 // caused by messages which mention cancelling or otherwise managing a subscription
35 // it is also synced and below for message_screenshot OCR output
36 3 of (
37 strings.icontains(body.current_thread.text, 'purchase'),
38 strings.icontains(body.current_thread.text, 'payment'),
39 strings.icontains(body.current_thread.text, 'transaction'),
40 strings.icontains(body.current_thread.text, 'subscription'),
41 strings.icontains(body.current_thread.text, 'antivirus'),
42 strings.icontains(body.current_thread.text, 'order'),
43 strings.icontains(body.current_thread.text, 'support'),
44 strings.icontains(body.current_thread.text, 'help line'),
45 strings.icontains(body.current_thread.text, 'receipt'),
46 strings.icontains(body.current_thread.text, 'invoice'),
47 strings.icontains(body.current_thread.text, 'call'),
48 strings.icontains(body.current_thread.text, 'cancel'),
49 strings.icontains(body.current_thread.text, 'renew'),
50 strings.icontains(body.current_thread.text, 'refund'),
51 regex.icontains(body.current_thread.text, "(?:reach|contact) us at"),
52 strings.icontains(body.current_thread.text, "+1"),
53 strings.icontains(body.current_thread.text, "amount"),
54 strings.icontains(body.current_thread.text, "charged"),
55 strings.icontains(body.current_thread.text, "crypto"),
56 strings.icontains(body.current_thread.text, "wallet address"),
57 regex.icontains(body.current_thread.text, '\$\d{3}\.\d{2}\b'),
58 )
59 // phone number regex
60 and regex.icontains(body.current_thread.text,
61 '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
62 '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
63 )
64 )
65 or (
66 any(file.explode(beta.message_screenshot()),
67 // this seciton is synced with attachment_callback_phish_with_img.yml and attachment_callback_phish_with_pdf.yml
68 // and above for current_thread.text
69 3 of (
70 strings.icontains(.scan.ocr.raw, 'purchase'),
71 strings.icontains(.scan.ocr.raw, 'payment'),
72 strings.icontains(.scan.ocr.raw, 'transaction'),
73 strings.icontains(.scan.ocr.raw, 'subscription'),
74 strings.icontains(.scan.ocr.raw, 'antivirus'),
75 strings.icontains(.scan.ocr.raw, 'order'),
76 strings.icontains(.scan.ocr.raw, 'support'),
77 strings.icontains(.scan.ocr.raw, 'help line'),
78 strings.icontains(.scan.ocr.raw, 'receipt'),
79 strings.icontains(.scan.ocr.raw, 'invoice'),
80 strings.icontains(.scan.ocr.raw, 'call'),
81 strings.icontains(.scan.ocr.raw, 'helpdesk'),
82 strings.icontains(.scan.ocr.raw, 'cancel'),
83 strings.icontains(.scan.ocr.raw, 'renew'),
84 strings.icontains(.scan.ocr.raw, 'refund'),
85 regex.icontains(.scan.ocr.raw, "(?:reach|contact) us at"),
86 strings.icontains(.scan.ocr.raw, '+1'),
87 strings.icontains(.scan.ocr.raw, 'amount'),
88 strings.icontains(.scan.ocr.raw, 'charged'),
89 strings.icontains(.scan.ocr.raw, 'crypto'),
90 strings.icontains(.scan.ocr.raw, 'wallet address'),
91 regex.icontains(.scan.ocr.raw, '\$\d{3}\.\d{2}\b'),
92 )
93 // phone number regex
94 and regex.icontains(.scan.ocr.raw,
95 '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
96 '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
97 )
98
99 // negate messages with previous threads. While callback phishing with thread hijacking or with current_thread
100 // padded with whitespace and previous threads in the message has been observed, the intetion of using OCR is for image embedded callbacks
101 and not regex.icount(.scan.ocr.raw, '(?:from|to|sent|date|cc|subject):') > 3
102 // this notation of previous threads often only occurs once
103 and not regex.icontains(.scan.ocr.raw, 'wrote:[\r\n]')
104 )
105 )
106 )
107attack_types:
108 - "Callback Phishing"
109tactics_and_techniques:
110 - "Evasion"
111 - "Impersonation: Brand"
112 - "Out of band pivot"
113 - "Social engineering"
114detection_methods:
115 - "Content analysis"
116 - "Computer Vision"
117 - "Header analysis"
118 - "Sender analysis"
119 - "URL analysis"
120id: "7eb4516d-f358-5c22-b527-34db0a532df9"