Callback Phishing in body or attachment (untrusted sender)

Detects callback scams by analyzing text within images of receipts or invoices from untrusted senders.

Sublime rule (View on GitHub)

 1name: "Callback Phishing in body or attachment (untrusted sender)"
 2description: |
 3    Detects callback scams by analyzing text within images of receipts or invoices from untrusted senders.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and length(attachments) < 5
 9  and (
10    any(attachments,
11        (.file_type in $file_types_images or .file_type == "pdf")
12        and any(file.explode(.),
13  
14                // exclude images taken with mobile cameras and screenshots from android
15                not any(.scan.exiftool.fields,
16                        .key == "Model"
17                        or (
18                          .key == "Software"
19                          and strings.starts_with(.value, "Android")
20                        )
21                        or (.key == "UserComment" and .value == "Screenshot")
22                )
23                and any(ml.nlu_classifier(.scan.ocr.raw).intents,
24                        .name == "callback_scam"
25                        and .confidence in ("medium", "high")
26                )
27        )
28        and (
29          // negate noreply unless a logo is found in the attachment
30          (
31            sender.email.local_part in ("no_reply", "noreply")
32            and any(ml.logo_detect(.).brands,
33                    .name in ("PayPal", "Norton", "GeekSquad", "Ebay", "McAfee")
34            )
35          )
36          or sender.email.local_part not in ("no_reply", "noreply")
37        )
38    )
39    or any(ml.nlu_classifier(body.current_thread.text).intents,
40           .name in ("callback_scam")
41           and .confidence in ("medium", "high")
42           and length(body.current_thread.text) < 1750
43    )
44  )
45  and not (
46    any(headers.domains, .domain == "smtp-out.gcp.bigcommerce.net")
47    and strings.icontains(body.html.raw, "bigcommerce.com")
48  )
49  and (
50    not profile.by_sender().solicited
51    or (
52      profile.by_sender().any_messages_malicious_or_spam
53      and not profile.by_sender().any_false_positives
54    )
55  )
56  
57  // negate highly trusted sender domains unless they fail DMARC authentication
58  and (
59    (
60      sender.email.domain.root_domain in $high_trust_sender_root_domains
61      and not headers.auth_summary.dmarc.pass
62    )
63    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
64  )  
65
66attack_types:
67  - "Callback Phishing"
68tactics_and_techniques:
69  - "Out of band pivot"
70  - "Social engineering"
71detection_methods:
72  - "Content analysis"
73  - "File analysis"
74  - "Optical Character Recognition"
75  - "Natural Language Understanding"
76  - "Sender analysis"
77id: "b93c6f94-c9a3-587a-8eb5-6856754f8222"
to-top