PayPal Invoice Abuse
A fraudulent invoice/receipt found in the body of the message sent by exploiting Paypal's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
Sublime rule (View on GitHub)
1name: "PayPal Invoice Abuse"
2description: |
3 A fraudulent invoice/receipt found in the body of the message sent by exploiting Paypal's invoicing service.
4 Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number.
5 The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
6type: "rule"
7references:
8 - "https://anderegg.ca/2023/02/01/a-novel-paypal-scam"
9severity: "medium"
10source: |
11 type.inbound
12 and length(attachments) == 0
13 and sender.email.domain.root_domain in ("paypal.com", "paypal.com.mx", "paypal.com.br", "paypal.com.ar")
14 and not any(headers.hops, .authentication_results.dmarc == "fail")
15 and (
16 strings.ilike(body.html.display_text, "*seller note*")
17 or strings.ilike(body.html.display_text, "*Note from *")
18 )
19 and (
20 (
21 // icontains a phone number
22 (
23 regex.icontains(strings.replace_confusables(body.current_thread.text),
24 '.*\+?([lo0-9]{1}.)?\(?[lo0-9]{3}?\)?.[lo0-9]{3}.?[lo0-9]{4}.*\n'
25 )
26 or regex.icontains(strings.replace_confusables(body.current_thread.text),
27 '.*\+[lo0-9]{1,3}[lo0-9]{10}.*\n'
28 )
29 or // +12028001238
30 regex.icontains(strings.replace_confusables(body.current_thread.text),
31 '.*[lo0-9]{3}\.[lo0-9]{3}\.[lo0-9]{4}.*\n'
32 )
33 or // 202-800-1238
34 regex.icontains(strings.replace_confusables(body.current_thread.text),
35 '.*[lo0-9]{3}-[lo0-9]{3}-[lo0-9]{4}.*\n'
36 )
37 or // (202) 800-1238
38 regex.icontains(strings.replace_confusables(body.current_thread.text),
39 '.*\([lo0-9]{3}\)\s[lo0-9]{3}-[lo0-9]{4}.*\n'
40 )
41 or // (202)-800-1238
42 regex.icontains(strings.replace_confusables(body.current_thread.text),
43 '.*\([lo0-9]{3}\)-[lo0-9]{3}-[lo0-9]{4}.*\n'
44 )
45 or ( // 8123456789
46 regex.icontains(strings.replace_confusables(body.current_thread.text),
47 '.*8[lo0-9]{9}.*\n'
48 )
49 and regex.icontains(strings.replace_confusables(body.current_thread.text
50 ),
51 '\+[1l]'
52 )
53 )
54 )
55 and (
56 (
57 4 of (
58 strings.ilike(body.html.inner_text, '*you did not*'),
59 strings.ilike(body.html.inner_text, '*is not for*'),
60 regex.icontains(body.html.inner_text, "didn\'t ma[kd]e this"),
61 strings.ilike(body.html.inner_text, "*Fruad Alert*"),
62 strings.ilike(body.html.inner_text, '*using your PayPal*'),
63 strings.ilike(body.html.inner_text, '*subscription*'),
64 strings.ilike(body.html.inner_text, '*antivirus*'),
65 strings.ilike(body.html.inner_text, '*order*'),
66 strings.ilike(body.html.inner_text, '*support*'),
67 strings.ilike(body.html.inner_text, '*receipt*'),
68 strings.ilike(body.html.inner_text, '*invoice*'),
69 strings.ilike(body.html.inner_text, '*Purchase*'),
70 strings.ilike(body.html.inner_text, '*Market*Value*'),
71 strings.ilike(body.html.inner_text, '*BTC*'),
72 strings.ilike(body.html.inner_text, '*call*'),
73 strings.ilike(body.html.inner_text, '*get in touch with our*'),
74 strings.ilike(body.html.inner_text, '*quickly inform*'),
75 strings.ilike(body.html.inner_text, '*detected unusual transactions*'),
76 strings.ilike(body.html.inner_text, '*cancel*'),
77 strings.ilike(body.html.inner_text, '*renew*'),
78 strings.ilike(body.html.inner_text, '*refund*'),
79 strings.ilike(body.html.inner_text, '*+1*'),
80 strings.ilike(body.html.inner_text, '*help*desk*'),
81 )
82 )
83 or regex.icontains(body.current_thread.text,
84 'note from.{0,50}(?:call|reach|contact)'
85 )
86 )
87 )
88 or (
89 // Unicode confusables words obfuscated in note
90 regex.icontains(body.html.inner_text,
91 '\+๐ญ|๐ฝ๐ฎ๐๐บ๐ฒ๐ป๐|๐๐ฒ๐น๐ฝ ๐๐ฒ๐๐ธ|๐ฟ๐ฒ๐ณ๐๐ป๐ฑ|๐ฎ๐ป๐๐ถ๐๐ถ๐ฟ๐๐|๐ฐ๐ฎ๐น๐น|๐ฐ๐ฎ๐ป๐ฐ๐ฒ๐น'
92 )
93 )
94 or strings.ilike(body.html.inner_text, '*kindly*')
95 )
96
97attack_types:
98 - "BEC/Fraud"
99 - "Callback Phishing"
100tactics_and_techniques:
101 - "Evasion"
102 - "Social engineering"
103detection_methods:
104 - "Content analysis"
105 - "Header analysis"
106 - "Sender analysis"
107id: "0ff7a0d4-164d-5ff1-8765-783fa2008b0f"