Callback phishing: Branded invoice from sender/reply-to domain less than 30 days old

calendar Oct 17, 2025  ·
Share on: linkedin copy

This rule checks for invoicing content from a sender, reply-to domain or return-path domain less than 30d old. It also checks the body or the OCR'd screenshot for key words commonly abused in fraudulent invoicing attacks.

Sublime rule (View on GitHub)

 1name: "Callback phishing: Branded invoice from sender/reply-to domain less than 30 days old"
 2description: "This rule checks for invoicing content from a sender, reply-to domain or return-path domain less than 30d old. It also checks the body or the OCR'd screenshot for key words commonly abused in fraudulent invoicing attacks. "
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  // reply to domain that's less than 30d old and doesn't match the sender
 8  and (
 9    (
10      length(headers.reply_to) > 0
11      and all(headers.reply_to,
12              network.whois(.email.domain).days_old <= 30
13              and .email.email != sender.email.email
14      )
15    )
16  
17    // or the return path or sender domain is less than 30d old 
18    or network.whois(headers.return_path.domain).days_old <= 30
19    or network.whois(sender.email.domain).days_old <= 30
20  )
21  
22  // invoicing with high confidence
23  and any(ml.nlu_classifier(body.current_thread.text).tags,
24          .name == "invoice" and .confidence == "high"
25  )
26  
27  // commonly abused brands in body
28  and (
29    strings.ilike(body.current_thread.text,
30                  "*mcafee*",
31                  "*norton*",
32                  "*geek squad*",
33                  "*paypal*",
34                  "*ebay*",
35                  "*symantec*",
36                  "*best buy*",
37                  "*lifelock*",
38                  "*virus*"
39    )
40  
41    // commonly abused brand logo
42    or any(ml.logo_detect(file.message_screenshot()).brands,
43           .name in ("PayPal", "Norton", "GeekSquad", "Ebay")
44    )
45  
46    // check message screenshot ocr for commonly abused brands
47    //
48    // This rule makes use of a beta feature and is subject to change without notice
49    // using the beta feature in custom rules is not suggested until it has been formally released
50    //    
51    or 1 of (
52      strings.icontains(beta.ocr(file.message_screenshot()).text, "geek squad"),
53      strings.icontains(beta.ocr(file.message_screenshot()).text, "lifelock"),
54      strings.icontains(beta.ocr(file.message_screenshot()).text, "best buy"),
55      strings.icontains(beta.ocr(file.message_screenshot()).text, "mcafee"),
56      strings.icontains(beta.ocr(file.message_screenshot()).text, "norton"),
57      strings.icontains(beta.ocr(file.message_screenshot()).text, "ebay"),
58      strings.icontains(beta.ocr(file.message_screenshot()).text, "paypal"),
59      strings.icontains(beta.ocr(file.message_screenshot()).text, "virus"),
60    )
61  )
62  
63  // phone number regex
64  and regex.icontains(body.current_thread.text,
65                      '\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}'
66  )
67  and not profile.by_sender().solicited
68  and not profile.by_sender().any_messages_benign  
69
70attack_types:
71  - "Callback Phishing"
72tactics_and_techniques:
73  - "Impersonation: Brand"
74  - "Out of band pivot"
75  - "Social engineering"
76detection_methods:
77  - "Header analysis"
78  - "Natural Language Understanding"
79  - "Optical Character Recognition"
80  - "Whois"
81id: "e6f4af53-dbb6-5917-acee-bfd7d8042c03"
to-top