Callback Phishing: SumUp Infrastructure Abuse
A fraudulent invoice/receipt found in the body of the message sent by exploiting SumUp's receipt email service.
Sublime rule (View on GitHub)
1name: "Callback Phishing: SumUp Infrastructure Abuse"
2description: "A fraudulent invoice/receipt found in the body of the message sent by exploiting SumUp's receipt email service."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and sender.email.domain.root_domain in ("sumup.com")
8 and (
9 strings.ilike(body.html.display_text, "*delivery note*")
10 or strings.ilike(body.html.display_text, "*made with sumup*")
11 )
12 // keep in sync with https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/paypal_invoice_abuse.yml
13 and (
14 (
15 // icontains a phone number
16 (
17 regex.icontains(strings.replace_confusables(body.current_thread.text),
18 '.*\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}.*\n'
19 )
20 or regex.icontains(strings.replace_confusables(body.current_thread.text),
21 '.*\+[ilo0-9]{1,3}[ilo0-9]{10}.*\n'
22 )
23 or // +12028001238
24 regex.icontains(strings.replace_confusables(body.current_thread.text),
25 '.*[ilo0-9]{3}\.[ilo0-9]{3}\.[ilo0-9]{4}.*\n'
26 )
27 or // 202-800-1238
28 regex.icontains(strings.replace_confusables(body.current_thread.text),
29 '.*[ilo0-9]{3}-[ilo0-9]{3}-[ilo0-9]{4}.*\n'
30 )
31 or // (202) 800-1238
32 regex.icontains(strings.replace_confusables(body.current_thread.text),
33 '.*\([ilo0-9]{3}\)\s[ilo0-9]{3}-[ilo0-9]{4}.*\n'
34 )
35 or // (202)-800-1238
36 regex.icontains(strings.replace_confusables(body.current_thread.text),
37 '.*\([ilo0-9]{3}\)-[ilo0-9]{3}-[ilo0-9]{4}.*\n'
38 )
39 or ( // 8123456789
40 regex.icontains(strings.replace_confusables(body.current_thread.text),
41 '.*8[ilo0-9]{9}.*\n'
42 )
43 and regex.icontains(strings.replace_confusables(body.current_thread.text
44 ),
45 '\+[1l]'
46 )
47 )
48 )
49 and (
50 (
51 4 of (
52 strings.ilike(body.html.inner_text, '*you did not*'),
53 strings.ilike(body.html.inner_text, '*is not for*'),
54 strings.ilike(body.html.inner_text, '*done by you*'),
55 regex.icontains(body.html.inner_text, "didn\'t ma[kd]e this"),
56 strings.ilike(body.html.inner_text, '*Fruad Alert*'),
57 strings.ilike(body.html.inner_text, '*Fraud Alert*'),
58 strings.ilike(body.html.inner_text, '*fraudulent*'),
59 strings.ilike(body.html.inner_text, '*using your PayPal*'),
60 strings.ilike(body.html.inner_text, '*subscription*'),
61 strings.ilike(body.html.inner_text, '*antivirus*'),
62 strings.ilike(body.html.inner_text, '*order*'),
63 strings.ilike(body.html.inner_text, '*support*'),
64 strings.ilike(body.html.inner_text, '*sincerely apologize*'),
65 strings.ilike(body.html.inner_text, '*receipt*'),
66 strings.ilike(body.html.inner_text, '*invoice*'),
67 strings.ilike(body.html.inner_text, '*Purchase*'),
68 strings.ilike(body.html.inner_text, '*transaction*'),
69 strings.ilike(body.html.inner_text, '*Market*Value*'),
70 strings.ilike(body.html.inner_text, '*BTC*'),
71 strings.ilike(body.html.inner_text, '*call*'),
72 strings.ilike(body.html.inner_text, '*get in touch with our*'),
73 strings.ilike(body.html.inner_text, '*quickly inform*'),
74 strings.ilike(body.html.inner_text, '*quickly reach *'),
75 strings.ilike(body.html.inner_text, '*detected unusual transactions*'),
76 strings.ilike(body.html.inner_text, '*without your authorization*'),
77 strings.ilike(body.html.inner_text, '*cancel*'),
78 strings.ilike(body.html.inner_text, '*renew*'),
79 strings.ilike(body.html.inner_text, '*refund*'),
80 strings.ilike(body.html.inner_text, '*+1*'),
81 regex.icontains(body.html.inner_text, 'help.{0,3}desk'),
82 strings.ilike(body.html.inner_text, '* your funds*'),
83 strings.ilike(body.html.inner_text, '* your checking*'),
84 strings.ilike(body.html.inner_text, '* your saving*'),
85 strings.ilike(body.html.inner_text, '*transfer*'),
86 strings.ilike(body.html.inner_text, '*secure your account*'),
87 strings.ilike(body.html.inner_text, '*recover your*'),
88 strings.ilike(body.html.inner_text, '*unusual activity*'),
89 strings.ilike(body.html.inner_text, '*suspicious transaction*'),
90 strings.ilike(body.html.inner_text, '*transaction history*'),
91 strings.ilike(body.html.inner_text, '*please ignore this*'),
92 strings.ilike(body.html.inner_text, '*report activity*'),
93 )
94 )
95 or regex.icontains(body.current_thread.text,
96 'note from.{0,50}(?:call|reach|contact|paypal)'
97 )
98 or any(ml.nlu_classifier(body.current_thread.text).intents,
99 .name == "callback_scam"
100 )
101 or (
102 // Unicode confusables words obfuscated in note
103 regex.icontains(body.html.inner_text,
104 '\+๐ญ|๐ฝ๐ฎ๐๐บ๐ฒ๐ป๐|๐๐ฒ๐น๐ฝ ๐๐ฒ๐๐ธ|๐ฟ๐ฒ๐ณ๐๐ป๐ฑ|๐ฎ๐ป๐๐ถ๐๐ถ๐ฟ๐๐|๐ฐ๐ฎ๐น๐น|๐ฐ๐ฎ๐ป๐ฐ๐ฒ๐น'
105 )
106 )
107 or strings.ilike(body.html.inner_text, '*kindly*')
108 )
109 )
110 )
111
112
113attack_types:
114 - "BEC/Fraud"
115 - "Callback Phishing"
116tactics_and_techniques:
117 - "Evasion"
118 - "Social engineering"
119detection_methods:
120 - "Content analysis"
121 - "Header analysis"
122 - "Sender analysis"
123id: "1c41649e-d701-513e-a676-20f48e834a7b"