Callback Phishing: Social Security Administration Fraud

calendar Feb 24, 2025  ·
Share on: linkedin copy

Detects phishing attempts that impersonate the Social Security Administration, using a single PDF attachment containing specific fraud-related language and a callback number.

Sublime rule (View on GitHub)

 1name: "Callback Phishing: Social Security Administration Fraud"
 2description: "Detects phishing attempts that impersonate the Social Security Administration, using a single PDF attachment containing specific fraud-related language and a callback number."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    not profile.by_sender().solicited
 9    or (
10      profile.by_sender().any_messages_malicious_or_spam
11      and not profile.by_sender().any_false_positives
12    )
13  )
14  
15  // single attachment
16  and length(attachments) == 1
17  
18  // sender is freemail
19  and sender.email.domain.root_domain in $free_email_providers
20  
21  // the attachment is a pdf with 1 page, and at least 60 ocr chars
22  and any(attachments,
23          .file_extension == "pdf"
24          and any(file.explode(.), .scan.exiftool.page_count == 1)
25          and any(file.explode(.), length(.scan.ocr.raw) > 60)
26  
27          // 4 of the following strings are found        
28          and (
29            any(file.explode(.),
30                4 of (
31                  strings.icontains(.scan.ocr.raw, "fraudulent activity"),
32                  strings.icontains(.scan.ocr.raw, "Social Security Number"),
33                  strings.icontains(.scan.ocr.raw, "SSN"),
34                  strings.icontains(.scan.ocr.raw, "stolen"),
35                  strings.icontains(.scan.ocr.raw, "illicit activities"),
36                  strings.icontains(.scan.ocr.raw,
37                                    "Social Security Administration"
38                  ),
39                  strings.icontains(.scan.ocr.raw, "if you are innocent"),
40                  strings.icontains(.scan.ocr.raw, "help line"),
41                  strings.icontains(.scan.ocr.raw, "Department of Justice"),
42                  strings.icontains(.scan.ocr.raw, "innocent"),
43                  regex.icontains(.scan.ocr.raw, '\$\d{3}\.\d{2}\b')
44                  and (
45                    regex.contains(.scan.ocr.raw,
46                                    '(\+\d|1.(\()?\d{3}(\))?\D\d{3}\D\d{4})'
47                    )
48                    or regex.contains(.scan.ocr.raw,
49                                       '\+?(\d{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}\d{3}[\s\.\-⋅]{0,5}\d{4}'
50                    )
51                  )
52                )
53            )
54          )
55  )
56  
57  
58    
59
60attack_types:
61  - "Callback Phishing"
62tactics_and_techniques:
63  - "Evasion"
64  - "Free email provider"
65  - "Out of band pivot"
66  - "PDF"
67  - "Social engineering"
68detection_methods:
69  - "Exif analysis"
70  - "File analysis"
71  - "Optical Character Recognition"
72  - "Sender analysis"
73id: "a9049d52-3611-5b16-8b7c-38cdb639f692"
to-top