Callback Phishing NLU body or attachment from first-time sender

calendar Nov 1, 2023  ยท
Share on: linkedin copy

Detects callback scams by analyzing text within images of receipts or invoices from first time senders.

Sublime rule (View on GitHub)

 1name: "Callback Phishing NLU body or attachment from first-time sender"
 2description: |
 3    Detects callback scams by analyzing text within images of receipts or invoices from first time senders.
 4type: "rule"
 5severity: "medium"
 6source: |
 7  type.inbound
 8  and length(attachments) < 5
 9  and (
10    any(attachments,
11        (.file_type in $file_types_images or .file_type == "pdf")
12        and any(file.explode(.),
13  
14                // exclude images taken with mobile cameras and screenshots from android
15                not any(.scan.exiftool.fields,
16                        .key == "Model"
17                        or .key == "Software" and strings.starts_with(.value, "Android")
18                )
19                and any(ml.nlu_classifier(.scan.ocr.raw).intents,
20                        .name == "callback_scam" and .confidence == "high"
21                )
22        )
23    )
24    or any(ml.nlu_classifier(body.current_thread.text).intents,
25           .name in ("callback_scam")
26           and .confidence == "high"
27           and length(body.current_thread.text) < 1500
28    )
29  )
30  and not (
31    any(headers.domains, .domain == "smtp-out.gcp.bigcommerce.net")
32    and strings.icontains(body.html.raw, "bigcommerce.com")
33  )
34  and (
35    (
36      profile.by_sender().prevalence in ("new", "outlier")
37      and not profile.by_sender().solicited
38    )
39    or (
40      profile.by_sender().any_messages_malicious_or_spam
41      and not profile.by_sender().any_false_positives
42    )
43  )
44
45  // negate highly trusted sender domains unless they fail DMARC authentication
46  and
47  (
48    (
49      sender.email.domain.root_domain in $high_trust_sender_root_domains
50      and (
51        any(distinct(headers.hops, .authentication_results.dmarc is not null),
52            strings.ilike(.authentication_results.dmarc, "*fail")
53        )
54      )
55    )
56    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
57  )  
58
59attack_types:
60  - "Callback Phishing"
61tactics_and_techniques:
62  - "Out of band pivot"
63  - "Social engineering"
64detection_methods:
65  - "Content analysis"
66  - "File analysis"
67  - "Optical Character Recognition"
68  - "Natural Language Understanding"
69  - "Sender analysis"
70id: "b93c6f94-c9a3-587a-8eb5-6856754f8222"
to-top