PayPal Invoice Abuse

A fraudulent invoice/receipt found in the body of the message sent by exploiting Paypal's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Sublime rule (View on GitHub)

  1name: "PayPal Invoice Abuse"
  2description: |
  3  A fraudulent invoice/receipt found in the body of the message sent by exploiting Paypal's invoicing service.
  4  Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. 
  5  The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.  
  6type: "rule"
  7references:
  8  - "https://anderegg.ca/2023/02/01/a-novel-paypal-scam"
  9severity: "medium"
 10source: |
 11  type.inbound
 12  and length(attachments) == 0
 13  and sender.email.domain.root_domain in ("paypal.com", "paypal.com.mx", "paypal.com.br", "paypal.com.ar")
 14  and not any(headers.hops, .authentication_results.dmarc == "fail")
 15  and (
 16    strings.ilike(body.html.display_text, "*seller note*")
 17    or strings.ilike(body.html.display_text, "*Note from *")
 18  )
 19  and (
 20    (
 21      // icontains a phone number
 22      (
 23        regex.icontains(strings.replace_confusables(body.current_thread.text),
 24                        '.*\+?([lo0-9]{1}.)?\(?[lo0-9]{3}?\)?.[lo0-9]{3}.?[lo0-9]{4}.*\n'
 25        )
 26        or regex.icontains(strings.replace_confusables(body.current_thread.text),
 27                           '.*\+[lo0-9]{1,3}[lo0-9]{10}.*\n'
 28        )
 29        or // +12028001238
 30       regex.icontains(strings.replace_confusables(body.current_thread.text),
 31                   '.*[lo0-9]{3}\.[lo0-9]{3}\.[lo0-9]{4}.*\n'
 32        )
 33        or // 202-800-1238
 34       regex.icontains(strings.replace_confusables(body.current_thread.text),
 35                   '.*[lo0-9]{3}-[lo0-9]{3}-[lo0-9]{4}.*\n'
 36        )
 37        or // (202) 800-1238
 38       regex.icontains(strings.replace_confusables(body.current_thread.text),
 39                   '.*\([lo0-9]{3}\)\s[lo0-9]{3}-[lo0-9]{4}.*\n'
 40        )
 41        or // (202)-800-1238
 42       regex.icontains(strings.replace_confusables(body.current_thread.text),
 43                   '.*\([lo0-9]{3}\)-[lo0-9]{3}-[lo0-9]{4}.*\n'
 44        )
 45        or ( // 8123456789
 46          regex.icontains(strings.replace_confusables(body.current_thread.text),
 47                          '.*8[lo0-9]{9}.*\n'
 48          )
 49          and regex.icontains(strings.replace_confusables(body.current_thread.text
 50                              ),
 51                              '\+[1l]'
 52          )
 53        )
 54      )
 55      and (
 56        (
 57          4 of (
 58            strings.ilike(body.html.inner_text, '*you did not*'),
 59            strings.ilike(body.html.inner_text, '*is not for*'),
 60            regex.icontains(body.html.inner_text, "didn\'t ma[kd]e this"),
 61            strings.ilike(body.html.inner_text, "*Fruad Alert*"),
 62            strings.ilike(body.html.inner_text, '*using your PayPal*'),
 63            strings.ilike(body.html.inner_text, '*subscription*'),
 64            strings.ilike(body.html.inner_text, '*antivirus*'),
 65            strings.ilike(body.html.inner_text, '*order*'),
 66            strings.ilike(body.html.inner_text, '*support*'),
 67            strings.ilike(body.html.inner_text, '*receipt*'),
 68            strings.ilike(body.html.inner_text, '*invoice*'),
 69            strings.ilike(body.html.inner_text, '*Purchase*'),
 70            strings.ilike(body.html.inner_text, '*Market*Value*'),
 71            strings.ilike(body.html.inner_text, '*BTC*'),
 72            strings.ilike(body.html.inner_text, '*call*'),
 73            strings.ilike(body.html.inner_text, '*get in touch with our*'),
 74            strings.ilike(body.html.inner_text, '*quickly inform*'),
 75            strings.ilike(body.html.inner_text, '*detected unusual transactions*'),
 76            strings.ilike(body.html.inner_text, '*cancel*'),
 77            strings.ilike(body.html.inner_text, '*renew*'),
 78            strings.ilike(body.html.inner_text, '*refund*'),
 79            strings.ilike(body.html.inner_text, '*+1*'),
 80            strings.ilike(body.html.inner_text, '*help*desk*'),
 81          )
 82        )
 83        or regex.icontains(body.current_thread.text,
 84                           'note from.{0,50}(?:call|reach|contact)'
 85        )
 86      )
 87    )
 88    or (
 89      // Unicode confusables words obfuscated in note
 90      regex.icontains(body.html.inner_text,
 91                      '\+๐Ÿญ|๐—ฝ๐—ฎ๐˜†๐—บ๐—ฒ๐—ป๐˜|๐—›๐—ฒ๐—น๐—ฝ ๐——๐—ฒ๐˜€๐—ธ|๐—ฟ๐—ฒ๐—ณ๐˜‚๐—ป๐—ฑ|๐—ฎ๐—ป๐˜๐—ถ๐˜ƒ๐—ถ๐—ฟ๐˜‚๐˜€|๐—ฐ๐—ฎ๐—น๐—น|๐—ฐ๐—ฎ๐—ป๐—ฐ๐—ฒ๐—น'
 92      )
 93    )
 94    or strings.ilike(body.html.inner_text, '*kindly*')
 95  )  
 96
 97attack_types:
 98  - "BEC/Fraud"
 99  - "Callback Phishing"
100tactics_and_techniques:
101  - "Evasion"
102  - "Social engineering"
103detection_methods:
104  - "Content analysis"
105  - "Header analysis"
106  - "Sender analysis"
107id: "0ff7a0d4-164d-5ff1-8765-783fa2008b0f"
to-top