PayPal Invoice Abuse
A fraudulent invoice/receipt found in the body of the message sent by exploiting Paypal's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
Sublime rule (View on GitHub)
1name: "PayPal Invoice Abuse"
2description: |
3 A fraudulent invoice/receipt found in the body of the message sent by exploiting Paypal's invoicing service.
4 Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number.
5 The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
6type: "rule"
7references:
8 - "https://anderegg.ca/2023/02/01/a-novel-paypal-scam"
9severity: "medium"
10source: |
11 type.inbound
12 and length(attachments) == 0
13 and sender.email.domain.root_domain in (
14 "paypal.com",
15 "paypal.com.mx",
16 "paypal.com.br",
17 "paypal.com.ar",
18 "paypal.co.uk"
19 )
20 and (
21 strings.ilike(body.html.display_text, "*seller note*")
22 or strings.ilike(body.html.display_text, "*Note from *")
23 or strings.ilike(body.html.display_text, "*Address Updated:*")
24 // payment notificiations that are sent to a recipient which is not the mailbox id
25 // attempts to include ones amplified via a DL
26 or (
27 strings.ilike(body.html.display_text, "*You Sent *")
28 and all(recipients.to,
29 .email.domain.domain not in $org_domains
30 and .email.email != mailbox.email.email
31 )
32 )
33 // phone number in subject
34 // the subject contains the seller's "name", attacks have been seen with the entire callback text in the seller's name
35 or (
36 regex.icontains(strings.replace_confusables(subject.subject),
37 '.*\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}.*'
38 )
39 or regex.icontains(strings.replace_confusables(subject.subject),
40 '.*\+[ilo0-9]{1,3}[ilo0-9]{10}.*'
41 )
42 or // +12028001238
43 regex.icontains(strings.replace_confusables(subject.subject),
44 '.*[ilo0-9]{3}\.[ilo0-9]{3}\.[ilo0-9]{4}.*'
45 )
46 or // 202-800-1238
47 regex.icontains(strings.replace_confusables(subject.subject),
48 '.*[ilo0-9]{3}-[ilo0-9]{3}-[ilo0-9]{4}.*'
49 )
50 or // (202) 800-1238
51 regex.icontains(strings.replace_confusables(subject.subject),
52 '.*\([ilo0-9]{3}\)\s[ilo0-9]{3}-[ilo0-9]{4}.*'
53 )
54 or // (202)-800-1238
55 regex.icontains(strings.replace_confusables(subject.subject),
56 '.*\([ilo0-9]{3}\)-[ilo0-9]{3}-[ilo0-9]{4}.*'
57 )
58 or ( // 8123456789
59 regex.icontains(strings.replace_confusables(subject.subject),
60 '.*8[ilo0-9]{9}.*'
61 )
62 and regex.icontains(strings.replace_confusables(subject.subject),
63 '\+[1l]'
64 )
65 )
66 )
67 )
68 and (
69 (
70 // icontains a phone number
71 (
72 regex.icontains(strings.replace_confusables(body.current_thread.text),
73 '.*\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}.*\n'
74 )
75 or regex.icontains(strings.replace_confusables(body.current_thread.text),
76 '.*\+[ilo0-9]{1,3}[ilo0-9]{10}.*\n'
77 )
78 or // +12028001238
79 regex.icontains(strings.replace_confusables(body.current_thread.text),
80 '.*[ilo0-9]{3}\.[ilo0-9]{3}\.[ilo0-9]{4}.*\n'
81 )
82 or // 202-800-1238
83 regex.icontains(strings.replace_confusables(body.current_thread.text),
84 '.*[ilo0-9]{3}-[ilo0-9]{3}-[ilo0-9]{4}.*\n'
85 )
86 or // (202) 800-1238
87 regex.icontains(strings.replace_confusables(body.current_thread.text),
88 '.*\([ilo0-9]{3}\)\s[ilo0-9]{3}-[ilo0-9]{4}.*\n'
89 )
90 or // (202)-800-1238
91 regex.icontains(strings.replace_confusables(body.current_thread.text),
92 '.*\([ilo0-9]{3}\)-[ilo0-9]{3}-[ilo0-9]{4}.*\n'
93 )
94 or ( // 8123456789
95 regex.icontains(strings.replace_confusables(body.current_thread.text),
96 '.*8[ilo0-9]{9}.*\n'
97 )
98 and regex.icontains(strings.replace_confusables(body.current_thread.text
99 ),
100 '\+[1l]'
101 )
102 )
103 )
104 and (
105 (
106 4 of (
107 strings.ilike(body.html.inner_text, '*you did not*'),
108 strings.ilike(body.html.inner_text, '*is not for*'),
109 strings.ilike(body.html.inner_text, '*done by you*'),
110 regex.icontains(body.html.inner_text, "didn\'t ma[kd]e this"),
111 strings.ilike(body.html.inner_text, '*Fruad Alert*'),
112 strings.ilike(body.html.inner_text, '*Fraud Alert*'),
113 strings.ilike(body.html.inner_text, '*fraudulent*'),
114 strings.ilike(body.html.inner_text, '*using your PayPal*'),
115 strings.ilike(body.html.inner_text, '*subscription*'),
116 strings.ilike(body.html.inner_text, '*antivirus*'),
117 strings.ilike(body.html.inner_text, '*order*'),
118 strings.ilike(body.html.inner_text, '*support*'),
119 strings.ilike(body.html.inner_text, '*sincerely apologize*'),
120 strings.ilike(body.html.inner_text, '*receipt*'),
121 strings.ilike(body.html.inner_text, '*invoice*'),
122 strings.ilike(body.html.inner_text, '*Purchase*'),
123 strings.ilike(body.html.inner_text, '*transaction*'),
124 strings.ilike(body.html.inner_text, '*Market*Value*'),
125 strings.ilike(body.html.inner_text, '*BTC*'),
126 strings.ilike(body.html.inner_text, '*call*'),
127 strings.ilike(body.html.inner_text, '*get in touch with our*'),
128 strings.ilike(body.html.inner_text, '*quickly inform*'),
129 strings.ilike(body.html.inner_text, '*quickly reach *'),
130 strings.ilike(body.html.inner_text, '*detected unusual transactions*'),
131 strings.ilike(body.html.inner_text, '*without your authorization*'),
132 strings.ilike(body.html.inner_text, '*cancel*'),
133 strings.ilike(body.html.inner_text, '*renew*'),
134 strings.ilike(body.html.inner_text, '*refund*'),
135 strings.ilike(body.html.inner_text, '*+1*'),
136 regex.icontains(body.html.inner_text, 'help.{0,3}desk'),
137 strings.ilike(body.html.inner_text, '* your funds*'),
138 strings.ilike(body.html.inner_text, '* your checking*'),
139 strings.ilike(body.html.inner_text, '* your saving*'),
140 strings.ilike(body.html.inner_text, '*transfer*'),
141 strings.ilike(body.html.inner_text, '*secure your account*'),
142 strings.ilike(body.html.inner_text, '*recover your*'),
143 strings.ilike(body.html.inner_text, '*unusual activity*'),
144 strings.ilike(body.html.inner_text, '*suspicious transaction*'),
145 strings.ilike(body.html.inner_text, '*transaction history*'),
146 strings.ilike(body.html.inner_text, '*please ignore this*'),
147 strings.ilike(body.html.inner_text, '*report activity*'),
148
149 )
150 )
151 or regex.icontains(body.current_thread.text,
152 'note from.{0,50}(?:call|reach|contact|paypal)'
153 )
154 or any(ml.nlu_classifier(body.current_thread.text).intents,
155 .name == "callback_scam"
156 )
157 or (
158 // Unicode confusables words obfuscated in note
159 regex.icontains(body.html.inner_text,
160 '\+๐ญ|๐ฝ๐ฎ๐๐บ๐ฒ๐ป๐|๐๐ฒ๐น๐ฝ ๐๐ฒ๐๐ธ|๐ฟ๐ฒ๐ณ๐๐ป๐ฑ|๐ฎ๐ป๐๐ถ๐๐ถ๐ฟ๐๐|๐ฐ๐ฎ๐น๐น|๐ฐ๐ฎ๐ป๐ฐ๐ฒ๐น'
161 )
162 )
163 or strings.ilike(body.html.inner_text, '*kindly*')
164 )
165 )
166 )
167attack_types:
168 - "BEC/Fraud"
169 - "Callback Phishing"
170tactics_and_techniques:
171 - "Evasion"
172 - "Social engineering"
173detection_methods:
174 - "Content analysis"
175 - "Header analysis"
176 - "Sender analysis"
177id: "0ff7a0d4-164d-5ff1-8765-783fa2008b0f"