High Severity
Callback Phishing: AOL Senders with Suspicious HTML Template or PDF Attachment
Description
Detects a specific behavioral pattern from AOL senders using consistent HTML templates and PDF attachment characteristics. The pattern includes particular Yahoo-style formatting with specific font families, and standardized PDF metadata when attachments are present.
References
No references.
Sublime Security
Created Apr 28th, 2025 • Last updated Jun 3rd, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
// sender is aol
and sender.email.domain.root_domain == "aol.com"
// with no restored/benign messages
and not profile.by_sender_email().any_messages_benign
// there is a single recipient
and length(recipients.to) == 1
and length(recipients.cc) == 0
and length(recipients.bcc) == 0
// is not a reply
and headers.in_reply_to is null
// this is another way to limit replies but need to account for
// a behavior where Yahoo/Aol seems to include it's own message ID as a reference
and length(headers.references) == 1
// all message-id values end in mail.yahoo.com, some benign messages use @aol.com
and strings.iends_with(headers.message_id, '@mail.yahoo.com>')
// All are using the legit Yahoo X-Mailer
// this removes AOL sent from iphones and other non AOL client
and strings.ends_with(headers.mailer, 'AolMailNorrin')
// exclude common recipients which interact with aol addresses that are commonly (but not always) benign
// recipeint exclusions are suggested for other recipients
and (
// no attachment
(
length(attachments) == 0
// if there are no attachments focus on the HTML template being observed
and (
// yahoo div followed by <br>
// // verdana, helvetica, sans-serif;
strings.icontains(body.html.raw,
"<div class=\"yahoo-style-wrap\" style=\"font-family:verdana, helvetica, sans-serif;font-size:18px;\">\r\n<div dir=\"ltr\" data-setdir=\"false\"><br>\r\n"
)
// // Helvetica Neue, Helvetica, Arial, sans-serif;
or strings.icontains(body.html.raw,
"<div class=\"yahoo-style-wrap\" style=\"font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:18px;\">\r\n<div dir=\"ltr\" data-setdir=\"false\"><br>\r\n"
)
// yahoo div followed by doctype
// // verdana, helvetica, sans-serif;
or strings.icontains(body.html.raw,
"<div class=\"yahoo-style-wrap\" style=\"font-family:verdana, helvetica, sans-serif;font-size:18px;\">\r\n<div dir=\"ltr\" data-setdir=\"false\"><!DOCTYPE html>"
)
// // Helvetica Neue, Helvetica, Arial, sans-serif;
or strings.icontains(body.html.raw,
"<div class=\"yahoo-style-wrap\" style=\"font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:18px;\">\r\n<div dir=\"ltr\" data-setdir=\"false\"><!DOCTYPE html>"
)
)
)
or (
// if there is an attachment, there can be only one
length(attachments) == 1
and all(attachments,
// it's a PDF,
.file_type == "pdf"
and (
// static content_id value for the attachments
(
.content_id == '<@yahoo.com>'
or .content_id == '@yahoo.com'
)
// created by observed static PDF details
or (
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
beta.parse_exif(.).creator == "wkhtmltopdf 0.12.6"
and beta.parse_exif(.).title is null
and beta.parse_exif(.).producer == 'Qt 4.8.7'
)
)
)
)
)
Playground
Test against your own EMLs or sample data.