• Sublime Core Feed
Medium Severity

Attachment: Callback Phishing solicitation via text-based file with a large unknown recipient list

Labels

Callback Phishing
Evasion
Out of band pivot
Social engineering
Content analysis
File analysis
Header analysis
Sender analysis

Description

Callback Phishing via text-based file attachment, with a large number of recipients that are unknown to the organization, and a short body and subject from an unknown sender.

References

No references.

Sublime Security
Created Apr 8th, 2024 • Last updated Jul 26th, 2024
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound
and (
  length(recipients.to) > 10
  and length(filter(recipients.to,
                    .email.domain.domain not in $org_domains
                    and .email.email not in $recipient_emails
                    and (
                      .email.domain.valid
                      or strings.icontains(.display_name, "undisclosed")
                    )
             )
  ) >= 10
)
and length(subject.subject) <= 10
// there are no links, all the links are to aka.ms, or an extraction from a warning banner that match the senders domain
and (
  length(body.links) == 0
  or length(filter(body.links,
                   (
                     .display_text is null
                     and .display_url.url == sender.email.domain.root_domain
                   )
                   or .href_url.domain.domain == "aka.ms"
                   or network.whois(.display_url.domain).days_old < 30
            )
  ) == length(body.links)
)
and (body.current_thread.text is null or length(body.current_thread.text) < 50)
and 0 < length(attachments) < 4
and any(attachments,
        (.content_type == "text/plain" or .file_type in ("doc", "docx"))
        and any(file.explode(.),
                (.depth == 0 or (.depth == 1 and .flavors.mime == "text/plain"))
                and any(.scan.strings.strings,
                        strings.ilike(.,
                                      "*mcafee*",
                                      "*norton*",
                                      "*geek squad*",
                                      "*paypal*",
                                      "*ebay*",
                                      "*symantec*",
                                      "*best buy*",
                                      "*lifelock*",
                                      "*geek total*"
                        )
                        and any(..scan.strings.strings,
                                regex.icontains(.,
                                                '\b\+?(\d{1}.)?\(?\d{3}?\)?.~?.?\d{3}.?~?.\d{4}\b'
                                )
                        )
                )
        )
)
and profile.by_sender().prevalence != "common"
and not profile.by_sender().solicited
and not profile.by_sender().any_false_positives

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and (
      any(distinct(headers.hops, .authentication_results.dmarc is not null),
          strings.ilike(.authentication_results.dmarc, "*fail")
      )
    )
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
MQL Rule Console
DocsLearning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started