Callback Phishing via extensionless rfc822 attachment

This rule detects messages with an unknown file_type (extensionless) and a content_type of 'message/rfc822' containing an image file with Callback Phishing indicators.

Sublime rule (View on GitHub)

 1name: "Callback Phishing via extensionless rfc822 attachment"
 2description: "This rule detects messages with an unknown file_type (extensionless) and a content_type of 'message/rfc822' containing an image file with Callback Phishing indicators."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and any(attachments,
 8          .file_type == "unknown"
 9          and .content_type == "message/rfc822"
10          and any(file.explode(.),
11                      strings.starts_with(.flavors.mime, "image")
12  
13                      // and Image contains callback phishing indicators
14                      and 4 of (
15                        strings.icontains(.scan.ocr.raw, "purchase"),
16                        strings.icontains(.scan.ocr.raw, "subscription"),
17                        strings.icontains(.scan.ocr.raw, "antivirus"),
18                        strings.icontains(.scan.ocr.raw, "order"),
19                        strings.icontains(.scan.ocr.raw, "support"),
20                        strings.icontains(.scan.ocr.raw, "receipt"),
21                        strings.icontains(.scan.ocr.raw, "amount"),
22                        strings.icontains(.scan.ocr.raw, "charged"),
23                        strings.icontains(.scan.ocr.raw, "invoice"),
24                        strings.icontains(.scan.ocr.raw, "call"),
25                        strings.icontains(.scan.ocr.raw, "cancel"),
26                        strings.icontains(.scan.ocr.raw, "renew"),
27                        strings.icontains(.scan.ocr.raw, "refund"),
28                        strings.icontains(.scan.ocr.raw, "+1")
29                      )
30          )
31          and any(file.explode(.),
32                  strings.ilike(.scan.ocr.raw,
33                                "*geek*squad*",
34                                "*lifelock*",
35                                "*best buy*",
36                                "*mcafee*",
37                                "*norton*",
38                                "*ebay*",
39                                "*paypal*",
40                                "*secure anywhere*"
41                  )
42                  or any(ml.nlu_classifier(.scan.ocr.raw).intents,
43                         .name in ("callback_scam")
44                         and .confidence == "high"
45                         and length(body.current_thread.text) < 1500
46                  )
47          )
48  )
49  and (
50    not profile.by_sender().solicited
51    and not profile.by_sender().any_false_positives
52  )
53  
54  // negate highly trusted sender domains unless they fail DMARC authentication
55  and (
56    (
57      sender.email.domain.root_domain in $high_trust_sender_root_domains
58      and (
59        any(distinct(headers.hops, .authentication_results.dmarc is not null),
60            strings.ilike(.authentication_results.dmarc, "*fail")
61        )
62      )
63    )
64    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
65  )
66    
67
68attack_types:
69  - "Callback Phishing"
70tactics_and_techniques:
71  - "Impersonation: Brand"
72  - "Social engineering"
73detection_methods:
74  - "File analysis"
75  - "Natural Language Understanding"
76  - "Optical Character Recognition"
77  - "Sender analysis"
78
79id: "197722c4-a22a-5c36-85d0-085f4b11c44e"
to-top