Callback phishing via Zelle Service Abuse
Callback phishing campaigns have been observed abusing Zelle services to send fraudulent payment requests with callback phishing contents.
Sublime rule (View on GitHub)
1name: "Callback phishing via Zelle Service Abuse"
2description: "Callback phishing campaigns have been observed abusing Zelle services to send fraudulent payment requests with callback phishing contents."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and length(attachments) == 0
8 and sender.email.domain.root_domain in ("zellepay.com")
9 and (
10 // only seeing payment requests abused
11 strings.ilike(body.html.display_text, "* requested*")
12 // phone number in subject
13 // the subject contains the seller's "name", attacks have been seen with the entire callback text in the seller's name
14 or (
15 regex.icontains(strings.replace_confusables(subject.subject),
16 '.*\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}.*'
17 )
18 or regex.icontains(strings.replace_confusables(subject.subject),
19 '.*\+[ilo0-9]{1,3}[ilo0-9]{10}.*'
20 )
21 or // +12028001238
22 regex.icontains(strings.replace_confusables(subject.subject),
23 '.*[ilo0-9]{3}\.[ilo0-9]{3}\.[ilo0-9]{4}.*'
24 )
25 or // 202-800-1238
26 regex.icontains(strings.replace_confusables(subject.subject),
27 '.*[ilo0-9]{3}-[ilo0-9]{3}-[ilo0-9]{4}.*'
28 )
29 or // (202) 800-1238
30 regex.icontains(strings.replace_confusables(subject.subject),
31 '.*\([ilo0-9]{3}\)\s[ilo0-9]{3}-[ilo0-9]{4}.*'
32 )
33 or // (202)-800-1238
34 regex.icontains(strings.replace_confusables(subject.subject),
35 '.*\([ilo0-9]{3}\)-[ilo0-9]{3}-[ilo0-9]{4}.*'
36 )
37 or ( // 8123456789
38 regex.icontains(strings.replace_confusables(subject.subject),
39 '.*8[ilo0-9]{9}.*'
40 )
41 and regex.icontains(strings.replace_confusables(subject.subject),
42 '\+[1li]'
43 )
44 )
45 )
46 )
47 and (
48 (
49 // icontains a phone number within the memo section (wrapped in quotes)
50 (
51 regex.icontains(strings.replace_confusables(body.current_thread.text),
52 '\".*\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}.*\"'
53 )
54 or regex.icontains(strings.replace_confusables(body.current_thread.text),
55 '\".*\+[ilo0-9]{1,3}[ilo0-9]{10}.*\"'
56 )
57 or // +12028001238
58 regex.icontains(strings.replace_confusables(body.current_thread.text),
59 '\".*[ilo0-9]{3}\.[ilo0-9]{3}\.[ilo0-9]{4}.*\"'
60 )
61 or // 202-800-1238
62 regex.icontains(strings.replace_confusables(body.current_thread.text),
63 '\".*[ilo0-9]{3}-[ilo0-9]{3}-[ilo0-9]{4}.*\"'
64 )
65 or // (202) 800-1238
66 regex.icontains(strings.replace_confusables(body.current_thread.text),
67 '\".*\([ilo0-9]{3}\)\s[ilo0-9]{3}-[ilo0-9]{4}.*\"'
68 )
69 or // (202)-800-1238
70 regex.icontains(strings.replace_confusables(body.current_thread.text),
71 '\".*\([ilo0-9]{3}\)-[ilo0-9]{3}-[ilo0-9]{4}.*\"'
72 )
73 or ( // 8123456789
74 regex.icontains(strings.replace_confusables(body.current_thread.text),
75 '\".*8[ilo0-9]{9}.*\"'
76 )
77 and regex.icontains(strings.replace_confusables(body.current_thread.text
78 ),
79 '\".*\+[1li].*\"'
80 )
81 )
82 )
83 and (
84 (
85 4 of (
86 strings.ilike(body.html.inner_text, '*"*you did not*"*'),
87 strings.ilike(body.html.inner_text, '*"*is not for*"*'),
88 strings.ilike(body.html.inner_text, '*"*done by you*"*'),
89 regex.icontains(body.html.inner_text, "\".*didn\'t ma[kd]e this.*\""),
90 strings.ilike(body.html.inner_text, '*"*Fruad Alert*"*'),
91 strings.ilike(body.html.inner_text, '*"*Fraud Alert*"*'),
92 strings.ilike(body.html.inner_text, '*"*fraudulent*"*'),
93 strings.ilike(body.html.inner_text, '*"*Zelle*"*'),
94 strings.ilike(body.html.inner_text, '*"*subscription*"*'),
95 strings.ilike(body.html.inner_text, '*"*antivirus*"*'),
96 strings.ilike(body.html.inner_text, '*"*order*"*'),
97 strings.ilike(body.html.inner_text, '*"*support*"*'),
98 strings.ilike(body.html.inner_text, '*"*sincerely apologize*"*'),
99 strings.ilike(body.html.inner_text, '*"*receipt*"*'),
100 strings.ilike(body.html.inner_text, '*"*invoice*"*'),
101 strings.ilike(body.html.inner_text, '*"*Purchase*"*'),
102 strings.ilike(body.html.inner_text, '*"*transaction*"*'),
103 strings.ilike(body.html.inner_text, '*"*Market*Value*"*'),
104 strings.ilike(body.html.inner_text, '*"*BTC*"*'),
105 strings.ilike(body.html.inner_text, '*"*call*"*'),
106 strings.ilike(body.html.inner_text, '*"*get in touch with our*"*'),
107 strings.ilike(body.html.inner_text, '*"*quickly inform*"*'),
108 strings.ilike(body.html.inner_text, '*"*quickly reach*"*'),
109 strings.ilike(body.html.inner_text,
110 '*"*detected unusual transactions*'
111 ),
112 strings.ilike(body.html.inner_text, '*"*without your authorization*"*'),
113 strings.ilike(body.html.inner_text, '*"*cancel*"*'),
114 strings.ilike(body.html.inner_text, '*"*renew*"*'),
115 strings.ilike(body.html.inner_text, '*"*refund*"*'),
116 strings.ilike(body.html.inner_text, '*"*+1*"*'),
117 regex.icontains(body.html.inner_text, '\"help.{0,3}desk'),
118 strings.ilike(body.html.inner_text, '*"* your funds*"*'),
119 strings.ilike(body.html.inner_text, '*"* your checking*"*'),
120 strings.ilike(body.html.inner_text, '*"* your saving*"*'),
121 strings.ilike(body.html.inner_text, '*"*transfer*"*'),
122 strings.ilike(body.html.inner_text, '*"*secure your account*"*'),
123 strings.ilike(body.html.inner_text, '*"*recover your *"*'),
124 )
125 )
126 or regex.icontains(body.current_thread.text,
127 'note from.{0,50}(?:call|reach|contact|paypal)'
128 )
129 or any(ml.nlu_classifier(body.current_thread.text).intents,
130 .name == "callback_scam"
131 )
132 or (
133 // Unicode confusables words obfuscated in note
134 regex.icontains(body.html.inner_text,
135 '\+๐ญ|๐ฝ๐ฎ๐๐บ๐ฒ๐ป๐|๐๐ฒ๐น๐ฝ ๐๐ฒ๐๐ธ|๐ฟ๐ฒ๐ณ๐๐ป๐ฑ|๐ฎ๐ป๐๐ถ๐๐ถ๐ฟ๐๐|๐ฐ๐ฎ๐น๐น|๐ฐ๐ฎ๐ป๐ฐ๐ฒ๐น'
136 )
137 )
138 or strings.ilike(body.html.inner_text, '*"*kindly*"*')
139 )
140 )
141 )
142attack_types:
143 - "BEC/Fraud"
144 - "Callback Phishing"
145tactics_and_techniques:
146 - "Evasion"
147 - "Social engineering"
148detection_methods:
149 - "Content analysis"
150 - "Header analysis"
151 - "Sender analysis"
152id: "08727484-0236-5286-be04-8c6aec86bcba"