Callback phishing via e-signature service
Detects messages containing e-signature topics combined with tech support keywords and phone numbers. Message includes brand impersonation (PayPal, Norton, McAfee, etc.) and transaction-related language, with no attachments and reply-to addresses from free email providers.
Sublime rule (View on GitHub)
1name: "Callback phishing via e-signature service"
2description: "Detects messages containing e-signature topics combined with tech support keywords and phone numbers. Message includes brand impersonation (PayPal, Norton, McAfee, etc.) and transaction-related language, with no attachments and reply-to addresses from free email providers."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and length(attachments) == 0
8 and any(headers.reply_to, .email.domain.root_domain in $free_email_providers)
9 and any(beta.ml_topic(body.current_thread.text).topics, .name == "E-Signature")
10 and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
11 and (
12 // this section is synced with attachment_callback_phish_with_pdf.yml and attachment_callback_phish_with_img.yml
13 regex.icontains(strings.replace_confusables(body.current_thread.text),
14 '(p.{0,3}a.{0,3}y.{0,3}p.{0,3}a.{0,3}l|ma?c.?fee|n[o0]rt[o0]n|geek.{0,5}squad|ebay|symantec|best buy|lifel[o0]c|secure anywhere|starz|utilities premium|pc security|at&t)'
15 )
16 or any(ml.logo_detect(beta.message_screenshot()).brands,
17 .name in (
18 "PayPal",
19 "Norton",
20 "GeekSquad",
21 "Ebay",
22 "McAfee",
23 "AT&T",
24 "Microsoft"
25 )
26 )
27 )
28 and (
29 (
30 // this seciton is synced with attachment_callback_phish_with_img.yml and attachment_callback_phish_with_pdf.yml
31 // however, the 3 of logic and requiring a phone number is specific to this rule in order to reduce FPs
32 // caused by messages which mention cancelling or otherwise managing a subscription
33 // it is also synced and below for message_screenshot OCR output
34 3 of (
35 strings.icontains(body.current_thread.text, 'purchase'),
36 strings.icontains(body.current_thread.text, 'payment'),
37 strings.icontains(body.current_thread.text, 'transaction'),
38 strings.icontains(body.current_thread.text, 'subscription'),
39 strings.icontains(body.current_thread.text, 'antivirus'),
40 strings.icontains(body.current_thread.text, 'order'),
41 strings.icontains(body.current_thread.text, 'support'),
42 strings.icontains(body.current_thread.text, 'help line'),
43 strings.icontains(body.current_thread.text, 'receipt'),
44 strings.icontains(body.current_thread.text, 'invoice'),
45 strings.icontains(body.current_thread.text, 'call'),
46 strings.icontains(body.current_thread.text, 'cancel'),
47 strings.icontains(body.current_thread.text, 'renew'),
48 strings.icontains(body.current_thread.text, 'refund'),
49 regex.icontains(body.current_thread.text, "(?:reach|contact) us at"),
50 strings.icontains(body.current_thread.text, "+1"),
51 strings.icontains(body.current_thread.text, "amount"),
52 strings.icontains(body.current_thread.text, "charged"),
53 strings.icontains(body.current_thread.text, "crypto"),
54 strings.icontains(body.current_thread.text, "wallet address"),
55 regex.icontains(body.current_thread.text, '\$\d{3}\.\d{2}\b'),
56 )
57 // phone number regex
58 and regex.icontains(body.current_thread.text,
59 '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
60 '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
61 )
62 )
63 or (
64 any(file.explode(beta.message_screenshot()),
65 // this seciton is synced with attachment_callback_phish_with_img.yml and attachment_callback_phish_with_pdf.yml
66 // and above for current_thread.text
67 3 of (
68 strings.icontains(.scan.ocr.raw, 'purchase'),
69 strings.icontains(.scan.ocr.raw, 'payment'),
70 strings.icontains(.scan.ocr.raw, 'transaction'),
71 strings.icontains(.scan.ocr.raw, 'subscription'),
72 strings.icontains(.scan.ocr.raw, 'antivirus'),
73 strings.icontains(.scan.ocr.raw, 'order'),
74 strings.icontains(.scan.ocr.raw, 'support'),
75 strings.icontains(.scan.ocr.raw, 'help line'),
76 strings.icontains(.scan.ocr.raw, 'receipt'),
77 strings.icontains(.scan.ocr.raw, 'invoice'),
78 strings.icontains(.scan.ocr.raw, 'call'),
79 strings.icontains(.scan.ocr.raw, 'helpdesk'),
80 strings.icontains(.scan.ocr.raw, 'cancel'),
81 strings.icontains(.scan.ocr.raw, 'renew'),
82 strings.icontains(.scan.ocr.raw, 'refund'),
83 regex.icontains(.scan.ocr.raw, "(?:reach|contact) us at"),
84 strings.icontains(.scan.ocr.raw, '+1'),
85 strings.icontains(.scan.ocr.raw, 'amount'),
86 strings.icontains(.scan.ocr.raw, 'charged'),
87 strings.icontains(.scan.ocr.raw, 'crypto'),
88 strings.icontains(.scan.ocr.raw, 'wallet address'),
89 regex.icontains(.scan.ocr.raw, '\$\d{3}\.\d{2}\b'),
90 )
91 // phone number regex
92 and regex.icontains(.scan.ocr.raw,
93 '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
94 '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
95 )
96
97 // negate messages with previous threads. While callback phishing with thread hijacking or with current_thread
98 // padded with whitespace and previous threads in the message has been observed, the intetion of using OCR is for image embedded callbacks
99 and not regex.icount(.scan.ocr.raw, '(?:from|to|sent|date|cc|subject):') > 3
100 // this notation of previous threads often only occurs once
101 and not regex.icontains(.scan.ocr.raw, 'wrote:[\r\n]')
102 )
103 )
104 )
105
106
107attack_types:
108 - "Callback Phishing"
109tactics_and_techniques:
110 - "Free email provider"
111 - "Impersonation: Brand"
112 - "Social engineering"
113detection_methods:
114 - "Content analysis"
115 - "Computer Vision"
116 - "Header analysis"
117 - "Optical Character Recognition"
118id: "ed37b4fd-22bb-5f55-92fa-215e42f5fe5a"