High Severity

Attachment: Callback Phishing solicitation via pdf file

Labels

Description

A fraudulent invoice/receipt found in an single page pdf attachment.

Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number.

The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

References

No references.

Sublime Security

Created Aug 17th, 2023 • Last updated Nov 7th, 2023

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_false_positives
  )
)

// single attachment
and length(attachments) == 1

// sender is freemail
and sender.email.domain.root_domain in $free_email_providers

// the attachment is a pdf with 1 page, and at least 60 ocr chars
and any(attachments,
        .file_extension == "pdf"
        and any(file.explode(.), .scan.exiftool.page_count == 1)
        and any(file.explode(.), length(.scan.ocr.raw) > 60)

        // 4 of the following strings are found        
        and any(file.explode(.),
                4 of (
                  strings.icontains(.scan.ocr.raw, "purchase"),
                  strings.icontains(.scan.ocr.raw, "payment"),
                  strings.icontains(.scan.ocr.raw, "transaction"),
                  strings.icontains(.scan.ocr.raw, "subscription"),
                  strings.icontains(.scan.ocr.raw, "antivirus"),
                  strings.icontains(.scan.ocr.raw, "order"),
                  strings.icontains(.scan.ocr.raw, "support"),
                  strings.icontains(.scan.ocr.raw, "help line"),
                  strings.icontains(.scan.ocr.raw, "receipt"),
                  strings.icontains(.scan.ocr.raw, "invoice"),
                  strings.icontains(.scan.ocr.raw, "call"),
                  strings.icontains(.scan.ocr.raw, "helpdesk"),
                  strings.icontains(.scan.ocr.raw, "cancel"),
                  strings.icontains(.scan.ocr.raw, "renew"),
                  strings.icontains(.scan.ocr.raw, "refund"),
                  regex.icontains(.scan.ocr.raw, '(\+\d|1.(\()?\d{3}(\))?\D\d{3}\D\d{4})')
                )
        )

        // 1 of the following strings is found, representing common Callback brands          
        and (
          any(file.explode(.),
              1 of (
                strings.icontains(.scan.ocr.raw, "geek squad"),
                strings.icontains(.scan.ocr.raw, "lifelock"),
                strings.icontains(.scan.ocr.raw, "best buy"),
                strings.icontains(.scan.ocr.raw, "mcafee"),
                strings.icontains(.scan.ocr.raw, "norton"),
                strings.icontains(.scan.ocr.raw, "ebay"),
                strings.icontains(.scan.ocr.raw, "paypal"),
              )
          )
          or any(ml.logo_detect(.).brands,
                 .name in ("PayPal", "Norton", "GeekSquad", "Ebay")
          )
        )
)

MQL Console

•

View MQL Guide

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.