Callback Phishing via Xodo Sign comment
This rule inspects messages originating from legitimate Xodo Sign infrastructure, with content matching Callback Phishing criteria, in the body, requiring at least one brand name, as well as 3 matching Callback Phishing terms and a phone number.
Sublime rule (View on GitHub)
1name: "Callback Phishing via Xodo Sign comment"
2description: "This rule inspects messages originating from legitimate Xodo Sign infrastructure, with content matching Callback Phishing criteria, in the body, requiring at least one brand name, as well as 3 matching Callback Phishing terms and a phone number."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and length(attachments) == 0
8 and (
9 not profile.by_sender().solicited
10 or (
11 profile.by_sender().any_messages_malicious_or_spam
12 and not profile.by_sender().any_false_positives
13 )
14 )
15 // Legitimate Xodo Sign/Eversign sending infratructure
16 and sender.email.domain.root_domain == 'eversign.com'
17 and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
18
19 and (
20 // this section is synced with attachment_callback_phish_with_pdf.yml and attachment_callback_phish_with_img.yml
21 regex.icontains(strings.replace_confusables(body.current_thread.text),
22 '(p.{0,3}a.{0,3}y.{0,3}p.{0,3}a.{0,3}l|ma?c.?fee|n[o0]rt[o0]n|geek.{0,5}squad|ebay|symantec|best buy|lifel[o0]c|secure anywhere|starz|utilities premium|pc security|at&t)'
23 )
24 or any(ml.logo_detect(beta.message_screenshot()).brands,
25 .name in ("PayPal", "Norton", "GeekSquad", "Ebay", "McAfee", "AT&T")
26 )
27 )
28 and length(body.current_thread.text) < 1750
29 and (
30 (
31 // this seciton is synced with attachment_callback_phish_with_img.yml and attachment_callback_phish_with_pdf.yml
32 // however, the 3 of logic and requiring a phone number is specific to this rule in order to reduce FPs
33 // caused by messages which mention cancelling or otherwise managing a subscription
34 // it is also synced and below for message_screenshot OCR output
35 3 of (
36 strings.icontains(body.current_thread.text, 'purchase'),
37 strings.icontains(body.current_thread.text, 'payment'),
38 strings.icontains(body.current_thread.text, 'transaction'),
39 strings.icontains(body.current_thread.text, 'subscription'),
40 strings.icontains(body.current_thread.text, 'antivirus'),
41 strings.icontains(body.current_thread.text, 'order'),
42 strings.icontains(body.current_thread.text, 'support'),
43 strings.icontains(body.current_thread.text, 'help line'),
44 strings.icontains(body.current_thread.text, 'receipt'),
45 strings.icontains(body.current_thread.text, 'invoice'),
46 strings.icontains(body.current_thread.text, 'call'),
47 strings.icontains(body.current_thread.text, 'cancel'),
48 strings.icontains(body.current_thread.text, 'renew'),
49 strings.icontains(body.current_thread.text, 'refund'),
50 regex.icontains(body.current_thread.text, "(?:reach|contact) us at"),
51 strings.icontains(body.current_thread.text, "+1"),
52 strings.icontains(body.current_thread.text, "amount"),
53 strings.icontains(body.current_thread.text, "charged"),
54 strings.icontains(body.current_thread.text, "crypto"),
55 strings.icontains(body.current_thread.text, "wallet address"),
56 regex.icontains(body.current_thread.text, '\$\d{3}\.\d{2}\b'),
57 )
58 // phone number regex
59 and regex.icontains(body.current_thread.text,
60 '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
61 '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
62 )
63 )
64 or (
65 any(file.explode(beta.message_screenshot()),
66 // this seciton is synced with attachment_callback_phish_with_img.yml and attachment_callback_phish_with_pdf.yml
67 // and above for current_thread.text
68 3 of (
69 strings.icontains(.scan.ocr.raw, 'purchase'),
70 strings.icontains(.scan.ocr.raw, 'payment'),
71 strings.icontains(.scan.ocr.raw, 'transaction'),
72 strings.icontains(.scan.ocr.raw, 'subscription'),
73 strings.icontains(.scan.ocr.raw, 'antivirus'),
74 strings.icontains(.scan.ocr.raw, 'order'),
75 strings.icontains(.scan.ocr.raw, 'support'),
76 strings.icontains(.scan.ocr.raw, 'help line'),
77 strings.icontains(.scan.ocr.raw, 'receipt'),
78 strings.icontains(.scan.ocr.raw, 'invoice'),
79 strings.icontains(.scan.ocr.raw, 'call'),
80 strings.icontains(.scan.ocr.raw, 'helpdesk'),
81 strings.icontains(.scan.ocr.raw, 'cancel'),
82 strings.icontains(.scan.ocr.raw, 'renew'),
83 strings.icontains(.scan.ocr.raw, 'refund'),
84 regex.icontains(.scan.ocr.raw, "(?:reach|contact) us at"),
85 strings.icontains(.scan.ocr.raw, '+1'),
86 strings.icontains(.scan.ocr.raw, 'amount'),
87 strings.icontains(.scan.ocr.raw, 'charged'),
88 strings.icontains(.scan.ocr.raw, 'crypto'),
89 strings.icontains(.scan.ocr.raw, 'wallet address'),
90 regex.icontains(.scan.ocr.raw, '\$\d{3}\.\d{2}\b'),
91 )
92 // phone number regex
93 and regex.icontains(.scan.ocr.raw,
94 '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
95 '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
96 )
97
98 // negate messages with previous threads. While callback phishing with thread hijacking or with current_thread
99 // padded with whitespace and previous threads in the message has been observed, the intetion of using OCR is for image embedded callbacks
100 and not regex.icount(.scan.ocr.raw, '(?:from|to|sent|date|cc|subject):') > 3
101 // this notation of previous threads often only occurs once
102 and not regex.icontains(.scan.ocr.raw, 'wrote:[\r\n]')
103 )
104 )
105 )
106
107attack_types:
108 - "Callback Phishing"
109tactics_and_techniques:
110 - "Exploit"
111 - "Impersonation: Brand"
112 - "Out of band pivot"
113 - "Social engineering"
114detection_methods:
115 - "Computer Vision"
116 - "Content analysis"
117 - "Header analysis"
118 - "Sender analysis"
119 - "URL analysis"
120id: "6f722c5d-ea4b-5fc4-9903-45a6310335e0"