Callback Phishing: Branded invoice from sender/reply-to domain less than 30 days old

calendar Apr 25, 2024  ·
Share on: linkedin copy

This rule checks for invoicing content from a sender, reply-to domain or return-path domain less than 30d old. It also checks the body or the OCR'd screenshot for key words commonly abused in fraudulent invoicing attacks.

Sublime rule (View on GitHub)

 1name: "Callback Phishing: Branded invoice from sender/reply-to domain less than 30 days old"
 2description: "This rule checks for invoicing content from a sender, reply-to domain or return-path domain less than 30d old. It also checks the body or the OCR'd screenshot for key words commonly abused in fraudulent invoicing attacks. "
 3type: "rule"
 4severity: "medium"
 5source: |
 6
 7  type.inbound
 8  // reply to domain that's less than 30d old and doesn't match the sender
 9  and (
10    (
11      length(headers.reply_to) > 0
12      and all(headers.reply_to,
13              network.whois(.email.domain).days_old <= 30
14              and .email.email != sender.email.email
15      )
16    )
17  
18    // or the return path or sender domain is less than 30d old 
19    or network.whois(headers.return_path.domain).days_old <= 30
20    or network.whois(sender.email.domain).days_old <= 30
21  )
22  
23  // invoicing with high confidence
24  and any(ml.nlu_classifier(body.current_thread.text).tags,
25          .name == "invoice" and .confidence == "high"
26  )
27  
28  // commonly abused brands in body
29  and (
30    strings.ilike(body.current_thread.text,
31                  "*mcafee*",
32                  "*norton*",
33                  "*geek squad*",
34                  "*paypal*",
35                  "*ebay*",
36                  "*symantec*",
37                  "*best buy*",
38                  "*lifelock*",
39                  "*virus*"
40    )
41  
42    // commonly abused brand logo
43    or any(ml.logo_detect(beta.message_screenshot()).brands,
44           .name in ("PayPal", "Norton", "GeekSquad", "Ebay")
45    )
46  
47    // check message screenshot ocr for commonly abused brands
48    or any(file.explode(beta.message_screenshot()),
49           1 of (
50             strings.icontains(.scan.ocr.raw, "geek squad"),
51             strings.icontains(.scan.ocr.raw, "lifelock"),
52             strings.icontains(.scan.ocr.raw, "best buy"),
53             strings.icontains(.scan.ocr.raw, "mcafee"),
54             strings.icontains(.scan.ocr.raw, "norton"),
55             strings.icontains(.scan.ocr.raw, "ebay"),
56             strings.icontains(.scan.ocr.raw, "paypal"),
57             strings.icontains(.scan.ocr.raw, "virus"),
58           )
59    )
60  )
61  
62  // phone number regex
63  and regex.icontains(body.current_thread.text,
64                      '\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}'
65  )
66  and not profile.by_sender().solicited
67  and not profile.by_sender().any_false_positives
68
69attack_types:
70  - "Callback Phishing"
71tactics_and_techniques:
72  - "Impersonation: Brand"
73  - "Out of band pivot"
74  - "Social engineering"
75detection_methods:
76  - "Header analysis"
77  - "Natural Language Understanding"
78  - "Optical Character Recognition"
79  - "Whois"
80id: "e6f4af53-dbb6-5917-acee-bfd7d8042c03"
to-top