PayPal Invoice Abuse

A fraudulent invoice/receipt found in the body of the message sent by exploiting Paypal's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Sublime rule (View on GitHub)

 1name: "PayPal Invoice Abuse"
 2description: |
 3  A fraudulent invoice/receipt found in the body of the message sent by exploiting Paypal's invoicing service.
 4  Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. 
 5  The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.  
 6type: "rule"
 7references:
 8  - "https://anderegg.ca/2023/02/01/a-novel-paypal-scam"
 9severity: "medium"
10source: |
11  type.inbound
12  and length(attachments) == 0
13  and sender.email.domain.root_domain == "paypal.com"
14  and not any(headers.hops, .authentication_results.dmarc == "fail")
15  and strings.ilike(body.html.display_text, "*seller note*")
16  and (
17    (
18      // phone number but not 800 number
19      regex.contains(body.html.inner_text,
20                     '[\s:,-]\+?\d{1,2}[\s:,-]\(?([2-7][0-9]{2}|80[1-9]|8[1-9][0-9])\)?[\s:,-]\d{3}[\s:,-]\d{4}\b'
21      )
22      and (
23        4 of (
24          strings.ilike(body.html.inner_text, '*you did not*'),
25          strings.ilike(body.html.inner_text, '*subscription*'),
26          strings.ilike(body.html.inner_text, '*antivirus*'),
27          strings.ilike(body.html.inner_text, '*order*'),
28          strings.ilike(body.html.inner_text, '*support*'),
29          strings.ilike(body.html.inner_text, '*receipt*'),
30          strings.ilike(body.html.inner_text, '*invoice*'),
31          strings.ilike(body.html.inner_text, '*call*'),
32          strings.ilike(body.html.inner_text, '*cancel*'),
33          strings.ilike(body.html.inner_text, '*renew*'),
34          strings.ilike(body.html.inner_text, '*refund*'),
35          strings.ilike(body.html.inner_text, '*+1*'),
36          strings.ilike(body.html.inner_text, '*help*desk*')
37        )
38      )
39    )
40    or (
41      // Unicode confusables words obfuscated in note
42      regex.contains(body.html.inner_text, '\+๐Ÿญ|๐—ฝ๐—ฎ๐˜†๐—บ๐—ฒ๐—ป๐˜|๐—›๐—ฒ๐—น๐—ฝ ๐——๐—ฒ๐˜€๐—ธ|๐—ฟ๐—ฒ๐—ณ๐˜‚๐—ป๐—ฑ|๐—ฎ๐—ป๐˜๐—ถ๐˜ƒ๐—ถ๐—ฟ๐˜‚๐˜€|๐—ฐ๐—ฎ๐—น๐—น|๐—ฐ๐—ฎ๐—ป๐—ฐ๐—ฒ๐—น')
43    )
44  )  
45attack_types:
46  - "BEC/Fraud"
47  - "Callback Phishing"
48tactics_and_techniques:
49  - "Evasion"
50  - "Social engineering"
51detection_methods:
52  - "Content analysis"
53  - "Header analysis"
54  - "Sender analysis"
55id: "0ff7a0d4-164d-5ff1-8765-783fa2008b0f"
to-top