Detection rules › Sublime MQL
Service abuse: Payoneer callback scam
A fraudulent invoice/receipt found in the body of the message sent by leveraging Payoneer's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Callback Phishing, BEC/Fraud |
| Tactics and techniques | Evasion, Social engineering |
Event coverage
| Message attribute |
|---|
| body.current_thread |
| body.html |
| sender.email |
| type |
Rule body MQL
type.inbound
and length(attachments) == 0
and sender.email.domain.root_domain in ("payoneer.com")
and (
(
// icontains a phone number
(
regex.icontains(strings.replace_confusables(body.current_thread.text),
'.*\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}.*\n'
)
or regex.icontains(strings.replace_confusables(body.current_thread.text),
'.*\+[ilo0-9]{1,3}[ilo0-9]{10}.*\n'
)
// +12028001238
or regex.icontains(strings.replace_confusables(body.current_thread.text),
'.*[ilo0-9]{3}\.[ilo0-9]{3}\.[ilo0-9]{4}.*\n'
)
// 202-800-1238
or regex.icontains(strings.replace_confusables(body.current_thread.text),
'.*[ilo0-9]{3}-[ilo0-9]{3}-[ilo0-9]{4}.*\n'
)
// (202) 800-1238
or regex.icontains(strings.replace_confusables(body.current_thread.text),
'.*\([ilo0-9]{3}\)[\s-]+[ilo0-9]{3}[\s-]+[ilo0-9]{4}.*\n'
)
// (202)-800-1238
or regex.icontains(strings.replace_confusables(body.current_thread.text),
'.*\([ilo0-9]{3}\)-[ilo0-9]{3}-[ilo0-9]{4}.*\n'
)
or ( // 8123456789
regex.icontains(strings.replace_confusables(body.current_thread.text),
'.*8[ilo0-9]{9}.*\n'
)
and regex.icontains(strings.replace_confusables(body.current_thread.text
),
'\+[1l]'
)
)
)
and (
(
// list of keywords taken from
// https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/paypal_invoice_abuse.yml
4 of (
strings.ilike(body.html.inner_text, '*you did not*'),
strings.ilike(body.html.inner_text, '*is not for*'),
strings.ilike(body.html.inner_text, '*done by you*'),
regex.icontains(body.html.inner_text, "didn\'t ma[kd]e this"),
strings.ilike(body.html.inner_text, "*Fruad Alert*"),
strings.ilike(body.html.inner_text, "*Fraud Alert*"),
strings.ilike(body.html.inner_text, '*using your PayPal*'),
strings.ilike(body.html.inner_text, '*subscription*'),
strings.ilike(body.html.inner_text, '*antivirus*'),
strings.ilike(body.html.inner_text, '*order*'),
strings.ilike(body.html.inner_text, '*support*'),
strings.ilike(body.html.inner_text, '*receipt*'),
strings.ilike(body.html.inner_text, '*invoice*'),
strings.ilike(body.html.inner_text, '*Purchase*'),
strings.ilike(body.html.inner_text, '*transaction*'),
strings.ilike(body.html.inner_text, '*Market*Value*'),
strings.ilike(body.html.inner_text, '*BTC*'),
strings.ilike(body.html.inner_text, '*call*'),
strings.ilike(body.html.inner_text, '*get in touch with our*'),
strings.ilike(body.html.inner_text, '*quickly inform*'),
strings.ilike(body.html.inner_text, '*quickly reach *'),
strings.ilike(body.html.inner_text, '*detected unusual transactions*'),
strings.ilike(body.html.inner_text, '*cancel*'),
strings.ilike(body.html.inner_text, '*renew*'),
strings.ilike(body.html.inner_text, '*refund*'),
strings.ilike(body.html.inner_text, '*+1*'),
regex.icontains(body.html.inner_text, 'help.{0,3}desk'),
)
)
)
)
or (
// Unicode confusables words obfuscated in note
regex.icontains(body.html.inner_text,
'\+𝟭|𝗽𝗮𝘆𝗺𝗲𝗻𝘁|𝗛𝗲𝗹𝗽 𝗗𝗲𝘀𝗸|𝗿𝗲𝗳𝘂𝗻𝗱|𝗮𝗻𝘁𝗶𝘃𝗶𝗿𝘂𝘀|𝗰𝗮𝗹𝗹|𝗰𝗮𝗻𝗰𝗲𝗹'
)
)
or strings.ilike(body.html.inner_text, '*kindly*')
)
Detection logic
Scope: inbound message.
A fraudulent invoice/receipt found in the body of the message sent by leveraging Payoneer's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
- inbound message
- length(attachments) is 0
- sender.email.domain.root_domain in ('payoneer.com')
any of:
all of:
any of:
- strings.replace_confusables(body.current_thread.text) matches '.*\\+?([ilo0-9]{1}.)?\\(?[ilo0-9]{3}?\\)?.[ilo0-9]{3}.?[ilo0-9]{4}.*\\n'
- strings.replace_confusables(body.current_thread.text) matches '.*\\+[ilo0-9]{1,3}[ilo0-9]{10}.*\\n'
- strings.replace_confusables(body.current_thread.text) matches '.*[ilo0-9]{3}\\.[ilo0-9]{3}\\.[ilo0-9]{4}.*\\n'
- strings.replace_confusables(body.current_thread.text) matches '.*[ilo0-9]{3}-[ilo0-9]{3}-[ilo0-9]{4}.*\\n'
- strings.replace_confusables(body.current_thread.text) matches '.*\\([ilo0-9]{3}\\)[\\s-]+[ilo0-9]{3}[\\s-]+[ilo0-9]{4}.*\\n'
- strings.replace_confusables(body.current_thread.text) matches '.*\\([ilo0-9]{3}\\)-[ilo0-9]{3}-[ilo0-9]{4}.*\\n'
all of:
- strings.replace_confusables(body.current_thread.text) matches '.*8[ilo0-9]{9}.*\\n'
- strings.replace_confusables(body.current_thread.text) matches '\\+[1l]'
at least 4 of 27: body.html.inner_text matches any of 27 patterns
*you did not**is not for**done by you*didn\'t ma[kd]e this*Fruad Alert**Fraud Alert**using your PayPal**subscription**antivirus**order**support**receipt**invoice**Purchase**transaction**Market*Value**BTC**call**get in touch with our**quickly inform**quickly reach **detected unusual transactions**cancel**renew**refund**+1*help.{0,3}desk
- body.html.inner_text matches '\\+𝟭|𝗽𝗮𝘆𝗺𝗲𝗻𝘁|𝗛𝗲𝗹𝗽 𝗗𝗲𝘀𝗸|𝗿𝗲𝗳𝘂𝗻𝗱|𝗮𝗻𝘁𝗶𝘃𝗶𝗿𝘂𝘀|𝗰𝗮𝗹𝗹|𝗰𝗮𝗻𝗰𝗲𝗹'
- body.html.inner_text matches '*kindly*'
Inspects: body.current_thread.text, body.html.inner_text, sender.email.domain.root_domain, type.inbound. Sensors: regex.icontains, strings.ilike, strings.replace_confusables.
Indicators matched (38)
| Field | Match | Value |
|---|---|---|
sender.email.domain.root_domain | member | payoneer.com |
regex.icontains | regex | .*\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}.*\n |
regex.icontains | regex | .*\+[ilo0-9]{1,3}[ilo0-9]{10}.*\n |
regex.icontains | regex | .*[ilo0-9]{3}\.[ilo0-9]{3}\.[ilo0-9]{4}.*\n |
regex.icontains | regex | .*[ilo0-9]{3}-[ilo0-9]{3}-[ilo0-9]{4}.*\n |
regex.icontains | regex | .*\([ilo0-9]{3}\)[\s-]+[ilo0-9]{3}[\s-]+[ilo0-9]{4}.*\n |
regex.icontains | regex | .*\([ilo0-9]{3}\)-[ilo0-9]{3}-[ilo0-9]{4}.*\n |
regex.icontains | regex | .*8[ilo0-9]{9}.*\n |
regex.icontains | regex | \+[1l] |
strings.ilike | substring | *you did not* |
strings.ilike | substring | *is not for* |
strings.ilike | substring | *done by you* |
26 more
regex.icontains | regex | didn\'t ma[kd]e this |
strings.ilike | substring | *Fruad Alert* |
strings.ilike | substring | *Fraud Alert* |
strings.ilike | substring | *using your PayPal* |
strings.ilike | substring | *subscription* |
strings.ilike | substring | *antivirus* |
strings.ilike | substring | *order* |
strings.ilike | substring | *support* |
strings.ilike | substring | *receipt* |
strings.ilike | substring | *invoice* |
strings.ilike | substring | *Purchase* |
strings.ilike | substring | *transaction* |
strings.ilike | substring | *Market*Value* |
strings.ilike | substring | *BTC* |
strings.ilike | substring | *call* |
strings.ilike | substring | *get in touch with our* |
strings.ilike | substring | *quickly inform* |
strings.ilike | substring | *quickly reach * |
strings.ilike | substring | *detected unusual transactions* |
strings.ilike | substring | *cancel* |
strings.ilike | substring | *renew* |
strings.ilike | substring | *refund* |
strings.ilike | substring | *+1* |
regex.icontains | regex | help.{0,3}desk |
regex.icontains | regex | \+𝟭|𝗽𝗮𝘆𝗺𝗲𝗻𝘁|𝗛𝗲𝗹𝗽 𝗗𝗲𝘀𝗸|𝗿𝗲𝗳𝘂𝗻𝗱|𝗮𝗻𝘁𝗶𝘃𝗶𝗿𝘂𝘀|𝗰𝗮𝗹𝗹|𝗰𝗮𝗻𝗰𝗲𝗹 |
strings.ilike | substring | *kindly* |