Callback Phishing in body or attachment (untrusted sender)
Detects callback scams by analyzing text within images of receipts or invoices from untrusted senders.
Sublime rule (View on GitHub)
1name: "Callback Phishing in body or attachment (untrusted sender)"
2description: |
3 Detects callback scams by analyzing text within images of receipts or invoices from untrusted senders.
4type: "rule"
5severity: "medium"
6source: |
7 type.inbound
8 and length(attachments) < 5
9 and (
10 any(attachments,
11 (.file_type in $file_types_images or .file_type == "pdf")
12 and any(file.explode(.),
13
14 // exclude images taken with mobile cameras and screenshots from android
15 not any(.scan.exiftool.fields,
16 .key == "Model"
17 or (
18 .key == "Software"
19 and strings.starts_with(.value, "Android")
20 )
21 or (.key == "UserComment" and .value == "Screenshot")
22 )
23 and any(ml.nlu_classifier(.scan.ocr.raw).intents,
24 .name == "callback_scam"
25 and .confidence in ("medium", "high")
26 )
27 )
28 and (
29 // negate noreply unless a logo is found in the attachment
30 (
31 sender.email.local_part in ("no_reply", "noreply")
32 and any(ml.logo_detect(.).brands,
33 .name in ("PayPal", "Norton", "GeekSquad", "Ebay", "McAfee")
34 )
35 )
36 or sender.email.local_part not in ("no_reply", "noreply")
37 )
38 )
39 or any(ml.nlu_classifier(body.current_thread.text).intents,
40 .name in ("callback_scam")
41 and .confidence in ("medium", "high")
42 and length(body.current_thread.text) < 1750
43 )
44 )
45 and not (
46 any(headers.domains, .domain == "smtp-out.gcp.bigcommerce.net")
47 and strings.icontains(body.html.raw, "bigcommerce.com")
48 )
49 and (
50 not profile.by_sender().solicited
51 or (
52 profile.by_sender().any_messages_malicious_or_spam
53 and not profile.by_sender().any_false_positives
54 )
55 )
56
57 // negate highly trusted sender domains unless they fail DMARC authentication
58 and (
59 (
60 sender.email.domain.root_domain in $high_trust_sender_root_domains
61 and not headers.auth_summary.dmarc.pass
62 )
63 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
64 )
65
66attack_types:
67 - "Callback Phishing"
68tactics_and_techniques:
69 - "Out of band pivot"
70 - "Social engineering"
71detection_methods:
72 - "Content analysis"
73 - "File analysis"
74 - "Optical Character Recognition"
75 - "Natural Language Understanding"
76 - "Sender analysis"
77id: "b93c6f94-c9a3-587a-8eb5-6856754f8222"