PayPal Invoice Abuse
A fraudulent invoice/receipt found in the body of the message sent by exploiting Paypal's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
Sublime rule (View on GitHub)
1name: "PayPal Invoice Abuse"
2description: |
3 A fraudulent invoice/receipt found in the body of the message sent by exploiting Paypal's invoicing service.
4 Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number.
5 The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
6type: "rule"
7references:
8 - "https://anderegg.ca/2023/02/01/a-novel-paypal-scam"
9severity: "medium"
10source: |
11 type.inbound
12 and length(attachments) == 0
13 and sender.email.domain.root_domain == "paypal.com"
14 and not any(headers.hops, .authentication_results.dmarc == "fail")
15 and strings.ilike(body.html.display_text, "*seller note*")
16 and (
17 (
18 // phone number but not 800 number
19 regex.contains(body.html.inner_text,
20 '[\s:,-]\+?\d{1,2}[\s:,-]\(?([2-7][0-9]{2}|80[1-9]|8[1-9][0-9])\)?[\s:,-]\d{3}[\s:,-]\d{4}\b'
21 )
22 and (
23 4 of (
24 strings.ilike(body.html.inner_text, '*you did not*'),
25 strings.ilike(body.html.inner_text, '*subscription*'),
26 strings.ilike(body.html.inner_text, '*antivirus*'),
27 strings.ilike(body.html.inner_text, '*order*'),
28 strings.ilike(body.html.inner_text, '*support*'),
29 strings.ilike(body.html.inner_text, '*receipt*'),
30 strings.ilike(body.html.inner_text, '*invoice*'),
31 strings.ilike(body.html.inner_text, '*call*'),
32 strings.ilike(body.html.inner_text, '*cancel*'),
33 strings.ilike(body.html.inner_text, '*renew*'),
34 strings.ilike(body.html.inner_text, '*refund*'),
35 strings.ilike(body.html.inner_text, '*+1*'),
36 strings.ilike(body.html.inner_text, '*help*desk*')
37 )
38 )
39 )
40 or (
41 // Unicode confusables words obfuscated in note
42 regex.contains(body.html.inner_text, '\+๐ญ|๐ฝ๐ฎ๐๐บ๐ฒ๐ป๐|๐๐ฒ๐น๐ฝ ๐๐ฒ๐๐ธ|๐ฟ๐ฒ๐ณ๐๐ป๐ฑ|๐ฎ๐ป๐๐ถ๐๐ถ๐ฟ๐๐|๐ฐ๐ฎ๐น๐น|๐ฐ๐ฎ๐ป๐ฐ๐ฒ๐น')
43 )
44 )
45attack_types:
46 - "BEC/Fraud"
47 - "Callback Phishing"
48tactics_and_techniques:
49 - "Evasion"
50 - "Social engineering"
51detection_methods:
52 - "Content analysis"
53 - "Header analysis"
54 - "Sender analysis"
55id: "0ff7a0d4-164d-5ff1-8765-783fa2008b0f"