Medium Severity
Callback Phishing solicitation in message body
Description
A fraudulent invoice/receipt found in the body of the message. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
References
No references.
Sublime Security
Created Aug 17th, 2023 • Last updated May 8th, 2024
Feed Source
Sublime Core Feed
Source
type.inbound
and length(attachments) == 0
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
)
and (
sender.email.domain.root_domain in $free_email_providers
or sender.email.domain.tld in $suspicious_tlds
or network.whois(sender.email.domain).found == false
or headers.mailer in~ ("Microsoft CDO for Windows 2000")
)
and (
strings.ilike(body.current_thread.text,
"*mcfee*",
"*mcafee*",
"*norton*",
"*geek*squad*",
"*paypal*",
"*ebay*",
"*symantec*",
"*best buy*",
"*lifelock*",
"*utilities premium*"
)
or any(ml.logo_detect(beta.message_screenshot()).brands,
.name in ("PayPal", "Norton", "GeekSquad", "Ebay", "McAfee")
)
)
and length(body.current_thread.text) < 1500
and (
(
3 of (
strings.ilike(body.current_thread.text, '*purchase*'),
strings.ilike(body.current_thread.text, '*payment*'),
strings.ilike(body.current_thread.text, '*transaction*'),
strings.ilike(body.current_thread.text, '*subscription*'),
strings.ilike(body.current_thread.text, '*antivirus*'),
strings.ilike(body.current_thread.text, '*order*'),
strings.ilike(body.current_thread.text, '*support*'),
strings.ilike(body.current_thread.text, '*help line*'),
strings.ilike(body.current_thread.text, '*receipt*'),
strings.ilike(body.current_thread.text, '*invoice*'),
strings.ilike(body.current_thread.text, '*call*'),
strings.ilike(body.current_thread.text, '*cancel*'),
strings.ilike(body.current_thread.text, '*renew*'),
strings.ilike(body.current_thread.text, '*refund*'),
strings.ilike(body.current_thread.text, "*contact us at*")
)
// phone number regex
and (
regex.icontains(body.current_thread.text,
'\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}'
)
or regex.icontains(body.current_thread.text,
'\+?(\d{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}\d{3}[\s\.\-⋅]{0,5}\d{4}'
)
)
)
or (
any(file.explode(beta.message_screenshot()),
3 of (
strings.ilike(.scan.ocr.raw, '*purchase*'),
strings.ilike(.scan.ocr.raw, '*payment*'),
strings.ilike(.scan.ocr.raw, '*transaction*'),
strings.ilike(.scan.ocr.raw, '*subscription*'),
strings.ilike(.scan.ocr.raw, '*antivirus*'),
strings.ilike(.scan.ocr.raw, '*order*'),
strings.ilike(.scan.ocr.raw, '*support*'),
strings.ilike(.scan.ocr.raw, '*help line*'),
strings.ilike(.scan.ocr.raw, '*receipt*'),
strings.ilike(.scan.ocr.raw, '*invoice*'),
strings.ilike(.scan.ocr.raw, '*call*'),
strings.ilike(.scan.ocr.raw, '*cancel*'),
strings.ilike(.scan.ocr.raw, '*renew*'),
strings.ilike(.scan.ocr.raw, '*refund*'),
strings.ilike(.scan.ocr.raw, '*contact us at*')
)
// phone number regex
and (
regex.icontains(.scan.ocr.raw,
'\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}'
)
or regex.icontains(.scan.ocr.raw,
'\+?(\d{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}\d{3}[\s\.\-⋅]{0,5}\d{4}'
)
)
)
)
)
and sender.email.domain.root_domain not in (
// paypal domain
"xoom.com"
)
and not strings.ends_with(headers.message_id, "@shopify.com>")
Playground
Test against your own EMLs or sample data.