PayPal Invoice Abuse

A fraudulent invoice/receipt found in the body of the message sent by exploiting Paypal's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Sublime rule (View on GitHub)

  1name: "PayPal Invoice Abuse"
  2description: |
  3  A fraudulent invoice/receipt found in the body of the message sent by exploiting Paypal's invoicing service.
  4  Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. 
  5  The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.  
  6type: "rule"
  7references:
  8  - "https://anderegg.ca/2023/02/01/a-novel-paypal-scam"
  9severity: "medium"
 10source: |
 11  type.inbound
 12  and length(attachments) == 0
 13  and sender.email.domain.root_domain in (
 14    "paypal.com",
 15    "paypal.com.mx",
 16    "paypal.com.br",
 17    "paypal.com.ar",
 18    "paypal.co.uk"
 19  )
 20  and (
 21    strings.ilike(body.html.display_text, "*seller note*")
 22    or strings.ilike(body.html.display_text, "*Note from *")
 23  )
 24  and (
 25    (
 26      // icontains a phone number
 27      (
 28        regex.icontains(strings.replace_confusables(body.current_thread.text),
 29                        '.*\+?([lo0-9]{1}.)?\(?[lo0-9]{3}?\)?.[lo0-9]{3}.?[lo0-9]{4}.*\n'
 30        )
 31        or regex.icontains(strings.replace_confusables(body.current_thread.text),
 32                           '.*\+[lo0-9]{1,3}[lo0-9]{10}.*\n'
 33        )
 34        or // +12028001238
 35   regex.icontains(strings.replace_confusables(body.current_thread.text),
 36                   '.*[lo0-9]{3}\.[lo0-9]{3}\.[lo0-9]{4}.*\n'
 37        )
 38        or // 202-800-1238
 39   regex.icontains(strings.replace_confusables(body.current_thread.text),
 40                   '.*[lo0-9]{3}-[lo0-9]{3}-[lo0-9]{4}.*\n'
 41        )
 42        or // (202) 800-1238
 43   regex.icontains(strings.replace_confusables(body.current_thread.text),
 44                   '.*\([lo0-9]{3}\)\s[lo0-9]{3}-[lo0-9]{4}.*\n'
 45        )
 46        or // (202)-800-1238
 47   regex.icontains(strings.replace_confusables(body.current_thread.text),
 48                   '.*\([lo0-9]{3}\)-[lo0-9]{3}-[lo0-9]{4}.*\n'
 49        )
 50        or ( // 8123456789
 51          regex.icontains(strings.replace_confusables(body.current_thread.text),
 52                          '.*8[lo0-9]{9}.*\n'
 53          )
 54          and regex.icontains(strings.replace_confusables(body.current_thread.text
 55                              ),
 56                              '\+[1l]'
 57          )
 58        )
 59      )
 60      and (
 61        (
 62          4 of (
 63            strings.ilike(body.html.inner_text, '*you did not*'),
 64            strings.ilike(body.html.inner_text, '*is not for*'),
 65            strings.ilike(body.html.inner_text, '*done by you*'),
 66            regex.icontains(body.html.inner_text, "didn\'t ma[kd]e this"),
 67            strings.ilike(body.html.inner_text, '*Fruad Alert*'),
 68            strings.ilike(body.html.inner_text, '*Fraud Alert*'),
 69            strings.ilike(body.html.inner_text, '*fraudulent*'),
 70            strings.ilike(body.html.inner_text, '*using your PayPal*'),
 71            strings.ilike(body.html.inner_text, '*subscription*'),
 72            strings.ilike(body.html.inner_text, '*antivirus*'),
 73            strings.ilike(body.html.inner_text, '*order*'),
 74            strings.ilike(body.html.inner_text, '*support*'),
 75            strings.ilike(body.html.inner_text, '*sincerely apologize*'),
 76            strings.ilike(body.html.inner_text, '*receipt*'),
 77            strings.ilike(body.html.inner_text, '*invoice*'),
 78            strings.ilike(body.html.inner_text, '*Purchase*'),
 79            strings.ilike(body.html.inner_text, '*transaction*'),
 80            strings.ilike(body.html.inner_text, '*Market*Value*'),
 81            strings.ilike(body.html.inner_text, '*BTC*'),
 82            strings.ilike(body.html.inner_text, '*call*'),
 83            strings.ilike(body.html.inner_text, '*get in touch with our*'),
 84            strings.ilike(body.html.inner_text, '*quickly inform*'),
 85            strings.ilike(body.html.inner_text, '*quickly reach *'),
 86            strings.ilike(body.html.inner_text, '*detected unusual transactions*'),
 87            strings.ilike(body.html.inner_text, '*without your authorization*'),
 88            strings.ilike(body.html.inner_text, '*cancel*'),
 89            strings.ilike(body.html.inner_text, '*renew*'),
 90            strings.ilike(body.html.inner_text, '*refund*'),
 91            strings.ilike(body.html.inner_text, '*+1*'),
 92            regex.icontains(body.html.inner_text, 'help.{0,3}desk'),
 93          )
 94        )
 95        or regex.icontains(body.current_thread.text,
 96                           'note from.{0,50}(?:call|reach|contact|paypal)'
 97        )
 98        or any(ml.nlu_classifier(body.current_thread.text).intents,
 99               .name == "callback_scam"
100        )
101        or (
102          // Unicode confusables words obfuscated in note
103          regex.icontains(body.html.inner_text,
104                          '\+๐Ÿญ|๐—ฝ๐—ฎ๐˜†๐—บ๐—ฒ๐—ป๐˜|๐—›๐—ฒ๐—น๐—ฝ ๐——๐—ฒ๐˜€๐—ธ|๐—ฟ๐—ฒ๐—ณ๐˜‚๐—ป๐—ฑ|๐—ฎ๐—ป๐˜๐—ถ๐˜ƒ๐—ถ๐—ฟ๐˜‚๐˜€|๐—ฐ๐—ฎ๐—น๐—น|๐—ฐ๐—ฎ๐—ป๐—ฐ๐—ฒ๐—น'
105          )
106        )
107        or strings.ilike(body.html.inner_text, '*kindly*')
108      )
109    )
110  )  
111attack_types:
112  - "BEC/Fraud"
113  - "Callback Phishing"
114tactics_and_techniques:
115  - "Evasion"
116  - "Social engineering"
117detection_methods:
118  - "Content analysis"
119  - "Header analysis"
120  - "Sender analysis"
121id: "0ff7a0d4-164d-5ff1-8765-783fa2008b0f"
to-top