Callback phishing via Zoho service abuse

Callback phishing campaigns have been observed abusing Zoho Invoice services to send fraudulent invoices with callback phishing contents.

Sublime rule (View on GitHub)

  1name: "Callback phishing via Zoho service abuse"
  2description: "Callback phishing campaigns have been observed abusing Zoho Invoice services to send fraudulent invoices with callback phishing contents."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  
  8  // Legitimate Zoho sending infratructure
  9  and (
 10    sender.email.domain.root_domain in ('zohoinvoice.com')
 11    // check for SPF or DMARC passed
 12    and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
 13  )
 14  and (
 15    // Callback Phishing in body (brand names required)
 16    (
 17      length(attachments) == 0
 18  
 19      // brand names are required.
 20      and regex.icontains(body.current_thread.text,
 21                          (
 22                            "mcafee|norton|geek.{0,5}squad|paypal|ebay|symantec|best buy|lifelock"
 23                          )
 24      )
 25      and 3 of (
 26        strings.ilike(body.current_thread.text, '*purchase*'),
 27        strings.ilike(body.current_thread.text, '*payment*'),
 28        strings.ilike(body.current_thread.text, '*transaction*'),
 29        strings.ilike(body.current_thread.text, '*subscription*'),
 30        strings.ilike(body.current_thread.text, '*antivirus*'),
 31        strings.ilike(body.current_thread.text, '*order*'),
 32        strings.ilike(body.current_thread.text, '*support*'),
 33        strings.ilike(body.current_thread.text, '*help line*'),
 34        strings.ilike(body.current_thread.text, '*receipt*'),
 35        strings.ilike(body.current_thread.text, '*invoice*'),
 36        strings.ilike(body.current_thread.text, '*call*'),
 37        strings.ilike(body.current_thread.text, '*cancel*'),
 38        strings.ilike(body.current_thread.text, '*renew*'),
 39        strings.ilike(body.current_thread.text, '*refund*')
 40      )
 41      // phone number regex
 42      and any([body.current_thread.text, subject.subject],
 43              regex.icontains(., '\b\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}\b')
 44      )
 45    )
 46    // all attachments are PDFs with callback phishing indicators Brands Required
 47    or (
 48      length(attachments) < 3
 49      and all(attachments, .file_extension == "pdf")
 50      // the attachment is a pdf with 1 page, and at least 60 ocr chars
 51      and any(attachments,
 52              (
 53                .file_extension == "pdf"
 54                and any(file.explode(.), .scan.exiftool.page_count < 3)
 55                and any(file.explode(.), length(.scan.ocr.raw) > 60)
 56  
 57                // 4 of the following strings are found        
 58                and (
 59                  any(file.explode(.),
 60                      4 of (
 61                        strings.icontains(.scan.ocr.raw, "purchase"),
 62                        strings.icontains(.scan.ocr.raw, "payment"),
 63                        strings.icontains(.scan.ocr.raw, "transaction"),
 64                        strings.icontains(.scan.ocr.raw, "subscription"),
 65                        strings.icontains(.scan.ocr.raw, "antivirus"),
 66                        strings.icontains(.scan.ocr.raw, "order"),
 67                        strings.icontains(.scan.ocr.raw, "support"),
 68                        strings.icontains(.scan.ocr.raw, "help line"),
 69                        strings.icontains(.scan.ocr.raw, "receipt"),
 70                        strings.icontains(.scan.ocr.raw, "invoice"),
 71                        strings.icontains(.scan.ocr.raw, "call"),
 72                        strings.icontains(.scan.ocr.raw, "helpdesk"),
 73                        strings.icontains(.scan.ocr.raw, "cancel"),
 74                        strings.icontains(.scan.ocr.raw, "renew"),
 75                        strings.icontains(.scan.ocr.raw, "refund"),
 76                        strings.icontains(.scan.ocr.raw, "amount"),
 77                        strings.icontains(.scan.ocr.raw, "crypto"),
 78                        strings.icontains(.scan.ocr.raw, "wallet address"),
 79                        regex.icontains(.scan.ocr.raw, '\$\d{3}\.\d{2}\b'),
 80                        regex.icontains(.scan.ocr.raw,
 81                                        '(\+\d|1.(\()?\d{3}(\))?\D\d{3}\D\d{4})'
 82                        ),
 83                        regex.icontains(.scan.ocr.raw,
 84                                        '\+?(\d{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}\d{3}[\s\.\-⋅]{0,5}\d{4}'
 85                        )
 86                      )
 87  
 88                      // 1 of the following strings is found, representing common Callback brands          
 89                      and (
 90                        1 of (
 91                          strings.icontains(.scan.ocr.raw, "geek squad"),
 92                          strings.icontains(.scan.ocr.raw, "lifelock"),
 93                          strings.icontains(.scan.ocr.raw, "best buy"),
 94                          strings.icontains(.scan.ocr.raw, "mcafee"),
 95                          strings.icontains(.scan.ocr.raw, "norton"),
 96                          strings.icontains(.scan.ocr.raw, "ebay"),
 97                          strings.icontains(.scan.ocr.raw, "paypal"),
 98                        )
 99                        // add additional logic for common language for paypal, which is a valid payment method
100                        and not regex.icontains(.scan.ocr.raw, "paypal[^\n]+accepted")
101                        and not regex.icontains(.scan.ocr.raw, "payment.{0,30}(via|by) paypal")
102                        and not regex.icontains(.scan.ocr.raw, '\d{2,4} norton')  // an address, example: 1234 Norton Road
103                      )
104                  )
105                  or any(ml.logo_detect(.).brands,
106                         .name in ("PayPal", "Norton", "GeekSquad", "Ebay")
107                  )
108                )
109              )
110      )
111    )
112  )  
113attack_types:
114  - "Callback Phishing"
115tactics_and_techniques:
116  - "Evasion"
117  - "Free email provider"
118  - "Impersonation: Brand"
119  - "Social engineering"
120detection_methods:
121  - "Computer Vision"
122  - "Content analysis"
123  - "Header analysis"
124  - "Optical Character Recognition"
125id: "61e351ec-0d21-5cb4-822f-bb6b99a21c07"
to-top