Callback Phishing in body or attachment (untrusted sender)

calendar Nov 5, 2024  ยท
Share on: linkedin copy

Detects callback scams by analyzing text within images of receipts or invoices from untrusted senders.

Sublime rule (View on GitHub)

 1name: "Callback Phishing in body or attachment (untrusted sender)"
 2description: |
 3    Detects callback scams by analyzing text within images of receipts or invoices from untrusted senders.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and length(attachments) < 5
 9  and (
10    any(attachments,
11        (.file_type in $file_types_images or .file_type == "pdf")
12        and (
13          any(ml.nlu_classifier(beta.ocr(.).text).intents,
14              .name == "callback_scam" and .confidence in ("medium", "high")
15          )
16          or any(file.explode(.),
17  
18                 // exclude images taken with mobile cameras and screenshots from android
19                 not any(.scan.exiftool.fields,
20                         .key == "Model"
21                         or (
22                           .key == "Software"
23                           and strings.starts_with(.value, "Android")
24                         )
25                         or (.key == "UserComment" and .value == "Screenshot")
26                 )
27                 and any(ml.nlu_classifier(.scan.ocr.raw).intents,
28                         .name == "callback_scam"
29                         and .confidence in ("medium", "high")
30                 )
31          )
32        )
33        and (
34          // negate noreply unless a logo is found in the attachment
35          (
36            sender.email.local_part in ("no_reply", "noreply")
37            and any(ml.logo_detect(.).brands,
38                    .name in ("PayPal", "Norton", "GeekSquad", "Ebay", "McAfee")
39            )
40          )
41          or sender.email.local_part not in ("no_reply", "noreply")
42        )
43    )
44    or any(ml.nlu_classifier(body.current_thread.text).intents,
45           .name in ("callback_scam")
46           and .confidence in ("medium", "high")
47           and length(body.current_thread.text) < 1750
48    )
49  )
50  and not (
51    any(headers.domains, .domain == "smtp-out.gcp.bigcommerce.net")
52    and strings.icontains(body.html.raw, "bigcommerce.com")
53  )
54  and (
55    not profile.by_sender().solicited
56    or (
57      profile.by_sender().any_messages_malicious_or_spam
58      and not profile.by_sender().any_false_positives
59    )
60  )
61  
62  // negate highly trusted sender domains unless they fail DMARC authentication
63  and (
64    (
65      sender.email.domain.root_domain in $high_trust_sender_root_domains
66      and not headers.auth_summary.dmarc.pass
67    )
68    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
69  )  
70
71attack_types:
72  - "Callback Phishing"
73tactics_and_techniques:
74  - "Out of band pivot"
75  - "Social engineering"
76detection_methods:
77  - "Content analysis"
78  - "File analysis"
79  - "Optical Character Recognition"
80  - "Natural Language Understanding"
81  - "Sender analysis"
82id: "b93c6f94-c9a3-587a-8eb5-6856754f8222"
to-top