Medium Severity

PayPal Invoice Abuse

Labels

BEC/Fraud

Callback Phishing

Description

A fraudulent invoice/receipt found in the body of the message sent by exploiting Paypal's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

References

https://anderegg.ca/2023/02/01/a-novel-paypal-scam

Sublime Security

Created Aug 17th, 2023 • Last updated May 23rd, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and length(attachments) == 0
and sender.email.domain.root_domain in (
  "paypal.com",
  "paypal.com.mx",
  "paypal.com.br",
  "paypal.com.ar",
  "paypal.co.uk"
)
and any(filter(beta.html_xpath(body.html,
                               // all the tables, which don't have descendant tables, after the first image and before a hr with a footerDivider class that appears after the current table.
                               // using //text()[normalize-space()] allows us to split each table up by line breaks, so each line can be inspected uniquely 
                               '//img[@alt="PayPal"]/following::table[not(descendant::table) and count(following::hr[@class="footerDivider"]) > 0]//text()[normalize-space()]'
               ).nodes,
               (
                 // icontains a phone number
                 (
                   regex.icontains(strings.replace_confusables(.display_text),
                                   '\b\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}\b'
                   )
                   or regex.icontains(strings.replace_confusables(.display_text),
                                      '\+[ilo0-9]{1,3}[ilo0-9]{10}'
                   )
                   or // +12028001238
 regex.icontains(strings.replace_confusables(.display_text),
                 '[ilo0-9]{3}\.[ilo0-9]{3}\.[ilo0-9]{4}'
                   )
                   or // 202-800-1238
 regex.icontains(strings.replace_confusables(.display_text),
                 '[ilo0-9]{3}-[ilo0-9]{3}-[ilo0-9]{4}'
                   )
                   or // (202) 800-1238
 regex.icontains(strings.replace_confusables(.display_text),
                 '\([ilo0-9]{3}\)\s[ilo0-9]{3}-[ilo0-9]{4}'
                   )
                   or // (202)-800-1238
 regex.icontains(strings.replace_confusables(.display_text),
                 '\([ilo0-9]{3}\)-[ilo0-9]{3}-[ilo0-9]{4}'
                   )
                   or ( // 8123456789
                     regex.icontains(strings.replace_confusables(.display_text),
                                     '8[ilo0-9]{9}'
                     )
                     and regex.icontains(strings.replace_confusables(.display_text
                                         ),
                                         '\+[1l]'
                     )
                   )
                 )
               )
               // filter out elements which contain non actor controlled details
               // this often wording from paypal templates that might contain phone numbers
               // but are not elements that are actor controlled. 

               // main customer service number
               and not strings.icontains(.display_text, '888-221-1161')
               // credit services number
               and not strings.icontains(.display_text, '844-896-4937')
               // pay in 4 number
               and not strings.icontains(.display_text, '(800) 504-7534')
               // debt collections for PayPal
               and not strings.icontains(.display_text, '866-380-1798')
               // often the transcation id looks like a phone number and matches the regex
               and not regex.icontains(.display_text, "Transaction (date|ID)\n")
               // this segment can include phone numbers, but the wording is not actor controlled and shows up "under the fold" in the templates
               and not strings.istarts_with(.display_text, "If you have any questions about this payment, you can")
        ),
        strings.icontains(.display_text, "you did not")
        or strings.icontains(.display_text, "Critical Alert")
        or strings.icontains(.display_text, "is not for")
        or strings.icontains(.display_text, "done by you")
        or regex.icontains(.display_text, "don['’]t recognize")
        or regex.icontains(.display_text, "didn['’]t (?:ma[kd]e|place) this")
        or regex.icontains(.display_text, "[wh]as.*placed by you")
        or strings.icontains(.display_text, "issue with")
        or regex.icontains(.display_text, "was.*made by you")
        or (
          strings.icontains(.display_text, "Fraud")
          and strings.icontains(.display_text, "Alert")
        )
        or strings.icontains(.display_text, "fraudulent")
        or strings.icontains(.display_text, "using your PayPal")
        or strings.icontains(.display_text, "subscription")
        or strings.icontains(.display_text, "antivirus")
        or strings.icontains(.display_text, "support")
        or strings.icontains(.display_text, "sincerely apologize")
        or strings.icontains(.display_text, "receipt")
        // pull in common wording from transaction types from paypal
        // this wording should be part of the template and not actor controlled
        // but is generally prepended or appended with actor controlled elements
        // such as using the business name to deliver callback details
        // when a phone number is present 
        or strings.icontains(.display_text, "sent you an invoice")
        or strings.icontains(.display_text, "a money request")
        or strings.icontains(.display_text, "invited you as a developer")

        // 
        or strings.icontains(.display_text, "Purchase")
        or strings.icontains(.display_text, "Market*Value")
        or strings.icontains(.display_text, "BTC")
        or strings.icontains(.display_text, "Etherium (ETH)")
        or strings.icontains(.display_text, "get in touch with our")
        or strings.icontains(.display_text, "quickly inform")
        or strings.icontains(.display_text, "quickly reach ")
        or strings.icontains(.display_text, "detected unusual transactions")
        or strings.icontains(.display_text, "without your authorization")
        or strings.icontains(.display_text, "unauthorized activitiy")
        or strings.icontains(.display_text, "unauthorized transaction")
        or strings.icontains(.display_text, "cancel")
        or strings.icontains(.display_text, "renew")
        or strings.icontains(.display_text, "refund")
        or regex.icontains(.display_text, 'help.{0,3}desk')
        or strings.icontains(.display_text, " your funds")
        or strings.icontains(.display_text, " your checking")
        or strings.icontains(.display_text, " your saving")
        or strings.icontains(.display_text, "secure your account")
        or strings.icontains(.display_text, "recover your")
        or strings.icontains(.display_text, "unusual activity")
        or strings.icontains(.display_text, "suspicious transaction")
        or strings.icontains(.display_text, "transaction history")
        or strings.icontains(.display_text, "please ignore this")
        or strings.icontains(.display_text, "will be approved")
        or strings.icontains(.display_text, "report activity")

        // Unicode confusables words obfuscated in note
        or regex.icontains(.display_text,
                           '\+𝟭|𝗽𝗮𝘆𝗺𝗲𝗻𝘁|𝗛𝗲𝗹𝗽 𝗗𝗲𝘀𝗸|𝗿𝗲𝗳𝘂𝗻𝗱|𝗮𝗻𝘁𝗶𝘃𝗶𝗿𝘂𝘀|𝗰𝗮𝗹𝗹|𝗰𝗮𝗻𝗰𝗲𝗹|𝗰𝗼𝗻𝘁𝗮𝗰𝘁|cᴀʟʟ'
        )
        or strings.icontains(.display_text, "kindly")
        or regex.icontains(strings.replace_confusables(.display_text),
                           '(?:call|cᴀʟʟ|reach|contact|get in touch|\binform\b|let us know)'
        )
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.