• Sublime Core Feed
High Severity

Attachment: Callback Phishing solicitation via pdf file

Labels

Callback Phishing
Evasion
Free email provider
Out of band pivot
PDF
Social engineering
Exif analysis
File analysis
Optical Character Recognition
Sender analysis

Description

A fraudulent invoice/receipt found in a pdf attachment. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

References

No references.

Sublime Security
Created Aug 17th, 2023 • Last updated Jul 29th, 2024
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_false_positives
  )
)

// single attachment
and length(attachments) == 1

// sender is freemail
and sender.email.domain.root_domain in $free_email_providers

// the attachment is a pdf with less than 3 pages, and at least 60 ocr chars
and any(attachments,
        (
          .file_extension == "pdf"
          and (
            // get the length of the attached pdf
            any(file.explode(.),
                .depth == 0 and .scan.exiftool.page_count < 3
            )
            // check that any _single_ result in the file.explode matches these conditions
            and any(file.explode(.),
                length(.scan.ocr.raw) > 60
                // 4 of the following strings are found        
                and (
                  4 of (
                    strings.icontains(.scan.ocr.raw, "purchase"),
                    strings.icontains(.scan.ocr.raw, "payment"),
                    strings.icontains(.scan.ocr.raw, "transaction"),
                    strings.icontains(.scan.ocr.raw, "subscription"),
                    strings.icontains(.scan.ocr.raw, "antivirus"),
                    strings.icontains(.scan.ocr.raw, "order"),
                    strings.icontains(.scan.ocr.raw, "support"),
                    strings.icontains(.scan.ocr.raw, "help line"),
                    strings.icontains(.scan.ocr.raw, "receipt"),
                    strings.icontains(.scan.ocr.raw, "invoice"),
                    strings.icontains(.scan.ocr.raw, "call"),
                    strings.icontains(.scan.ocr.raw, "helpdesk"),
                    strings.icontains(.scan.ocr.raw, "cancel"),
                    strings.icontains(.scan.ocr.raw, "renew"),
                    strings.icontains(.scan.ocr.raw, "refund"),
                    strings.icontains(.scan.ocr.raw, "amount"),
                    strings.icontains(.scan.ocr.raw, "crypto"),
                    strings.icontains(.scan.ocr.raw, "wallet address"),
                    regex.icontains(.scan.ocr.raw, '\$\d{3}\.\d{2}\b'),
                    regex.icontains(.scan.ocr.raw,
                                    '(\+\d|1.(\()?\d{3}(\))?\D\d{3}\D\d{4})'
                    ),
                    regex.icontains(.scan.ocr.raw,
                                    '\+?(\d{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}\d{3}[\s\.\-⋅]{0,5}\d{4}'
                    )
                  )
                )

                // 1 of the following strings is found, representing common Callback brands          
                and 1 of (
                  strings.icontains(.scan.ocr.raw, "geek squad"),
                  strings.icontains(.scan.ocr.raw, "lifelock"),
                  strings.icontains(.scan.ocr.raw, "best buy"),
                  strings.icontains(.scan.ocr.raw, "mcafee"),
                  regex.icontains(.scan.ocr.raw, "ma?c.?fee"),
                  strings.icontains(.scan.ocr.raw, "norton"),
                  strings.icontains(.scan.ocr.raw, "ebay"),
                  strings.icontains(.scan.ocr.raw, "paypal"),
                )
                // Negate bank statements
                and not (
                  2 of (
                    strings.icontains(.scan.ocr.raw, "opening balance"),
                    strings.icontains(.scan.ocr.raw, "closing balance"),
                    strings.icontains(.scan.ocr.raw, "direct debit"),
                    strings.icontains(.scan.ocr.raw, "interest"),
                    strings.icontains(.scan.ocr.raw, "account balance"),
                  )
                )
            )
          
          or any(ml.logo_detect(.).brands,
                 .name in ("PayPal", "Norton", "GeekSquad", "Ebay")
          )
        )
)
)
and (
  (
    (
      length(headers.references) > 0
      or not any(headers.hops,
                 any(.fields, strings.ilike(.name, "In-Reply-To"))
      )
    )
    and not (
      (
        strings.istarts_with(subject.subject, "RE:")
        or strings.istarts_with(subject.subject, "RES:")
        or strings.istarts_with(subject.subject, "R:")
        or strings.istarts_with(subject.subject, "ODG:")
        or strings.istarts_with(subject.subject, "答复:")
        or strings.istarts_with(subject.subject, "AW:")
        or strings.istarts_with(subject.subject, "TR:")
        or strings.istarts_with(subject.subject, "FWD:")
        or regex.imatch(subject.subject,
                        '(\[[^\]]+\]\s?){0,3}(re|fwd?|automat.*)\s?:.*'
        )
      )
    )
  )
  or (length(headers.references) == 0 or length(body.current_thread.text) < 10)
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started