Callback phishing via e-signature service

Detects messages containing e-signature topics combined with tech support keywords and phone numbers. Message includes brand impersonation (PayPal, Norton, McAfee, etc.) and transaction-related language, with no attachments and reply-to addresses from free email providers.

Sublime rule (View on GitHub)

  1name: "Callback phishing via e-signature service"
  2description: "Detects messages containing e-signature topics combined with tech support keywords and phone numbers. Message includes brand impersonation (PayPal, Norton, McAfee, etc.) and transaction-related language, with no attachments and reply-to addresses from free email providers."
  3type: "rule"
  4severity: "high"
  5source: |
  6  type.inbound
  7  and length(attachments) == 0
  8  and any(headers.reply_to, .email.domain.root_domain in $free_email_providers)
  9  and any(beta.ml_topic(body.current_thread.text).topics, .name == "E-Signature")
 10  and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
 11  and (
 12    // this section is synced with attachment_callback_phish_with_pdf.yml and attachment_callback_phish_with_img.yml
 13    regex.icontains(strings.replace_confusables(body.current_thread.text),
 14                    '(p.{0,3}a.{0,3}y.{0,3}p.{0,3}a.{0,3}l|ma?c.?fee|n[o0]rt[o0]n|geek.{0,5}squad|ebay|symantec|best buy|lifel[o0]c|secure anywhere|starz|utilities premium|pc security|at&t)'
 15    )
 16    or any(ml.logo_detect(beta.message_screenshot()).brands,
 17           .name in (
 18             "PayPal",
 19             "Norton",
 20             "GeekSquad",
 21             "Ebay",
 22             "McAfee",
 23             "AT&T",
 24             "Microsoft"
 25           )
 26    )
 27  )
 28  and (
 29    (
 30      // this seciton is synced with attachment_callback_phish_with_img.yml and attachment_callback_phish_with_pdf.yml
 31      // however, the 3 of logic and requiring a phone number is specific to this rule in order to reduce FPs
 32      // caused by messages which mention cancelling or otherwise managing a subscription
 33      // it is also synced and below for message_screenshot OCR output
 34      3 of (
 35        strings.icontains(body.current_thread.text, 'purchase'),
 36        strings.icontains(body.current_thread.text, 'payment'),
 37        strings.icontains(body.current_thread.text, 'transaction'),
 38        strings.icontains(body.current_thread.text, 'subscription'),
 39        strings.icontains(body.current_thread.text, 'antivirus'),
 40        strings.icontains(body.current_thread.text, 'order'),
 41        strings.icontains(body.current_thread.text, 'support'),
 42        strings.icontains(body.current_thread.text, 'help line'),
 43        strings.icontains(body.current_thread.text, 'receipt'),
 44        strings.icontains(body.current_thread.text, 'invoice'),
 45        strings.icontains(body.current_thread.text, 'call'),
 46        strings.icontains(body.current_thread.text, 'cancel'),
 47        strings.icontains(body.current_thread.text, 'renew'),
 48        strings.icontains(body.current_thread.text, 'refund'),
 49        regex.icontains(body.current_thread.text, "(?:reach|contact) us at"),
 50        strings.icontains(body.current_thread.text, "+1"),
 51        strings.icontains(body.current_thread.text, "amount"),
 52        strings.icontains(body.current_thread.text, "charged"),
 53        strings.icontains(body.current_thread.text, "crypto"),
 54        strings.icontains(body.current_thread.text, "wallet address"),
 55        regex.icontains(body.current_thread.text, '\$\d{3}\.\d{2}\b'),
 56      )
 57      // phone number regex
 58      and regex.icontains(body.current_thread.text,
 59                          '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
 60                          '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
 61      )
 62    )
 63    or (
 64      any(file.explode(beta.message_screenshot()),
 65          // this seciton is synced with attachment_callback_phish_with_img.yml and attachment_callback_phish_with_pdf.yml
 66          // and above for current_thread.text
 67          3 of (
 68            strings.icontains(.scan.ocr.raw, 'purchase'),
 69            strings.icontains(.scan.ocr.raw, 'payment'),
 70            strings.icontains(.scan.ocr.raw, 'transaction'),
 71            strings.icontains(.scan.ocr.raw, 'subscription'),
 72            strings.icontains(.scan.ocr.raw, 'antivirus'),
 73            strings.icontains(.scan.ocr.raw, 'order'),
 74            strings.icontains(.scan.ocr.raw, 'support'),
 75            strings.icontains(.scan.ocr.raw, 'help line'),
 76            strings.icontains(.scan.ocr.raw, 'receipt'),
 77            strings.icontains(.scan.ocr.raw, 'invoice'),
 78            strings.icontains(.scan.ocr.raw, 'call'),
 79            strings.icontains(.scan.ocr.raw, 'helpdesk'),
 80            strings.icontains(.scan.ocr.raw, 'cancel'),
 81            strings.icontains(.scan.ocr.raw, 'renew'),
 82            strings.icontains(.scan.ocr.raw, 'refund'),
 83            regex.icontains(.scan.ocr.raw, "(?:reach|contact) us at"),
 84            strings.icontains(.scan.ocr.raw, '+1'),
 85            strings.icontains(.scan.ocr.raw, 'amount'),
 86            strings.icontains(.scan.ocr.raw, 'charged'),
 87            strings.icontains(.scan.ocr.raw, 'crypto'),
 88            strings.icontains(.scan.ocr.raw, 'wallet address'),
 89            regex.icontains(.scan.ocr.raw, '\$\d{3}\.\d{2}\b'),
 90          )
 91          // phone number regex
 92          and regex.icontains(.scan.ocr.raw,
 93                              '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
 94                              '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
 95          )
 96  
 97          // negate messages with previous threads.  While callback phishing with thread hijacking or with current_thread 
 98          // padded with whitespace and previous threads in the message has been observed, the intetion of using OCR is for image embedded callbacks
 99          and not regex.icount(.scan.ocr.raw, '(?:from|to|sent|date|cc|subject):') > 3
100          // this notation of previous threads often only occurs once
101          and not regex.icontains(.scan.ocr.raw, 'wrote:[\r\n]')
102      )
103    )
104  )
105    
106
107attack_types:
108  - "Callback Phishing"
109tactics_and_techniques:
110  - "Free email provider"
111  - "Impersonation: Brand"
112  - "Social engineering"
113detection_methods:
114  - "Content analysis"
115  - "Computer Vision"
116  - "Header analysis"
117  - "Optical Character Recognition"
118id: "ed37b4fd-22bb-5f55-92fa-215e42f5fe5a"
to-top