detection.wiki

Detection rules › Sublime MQL

Attachment: Callback phishing solicitation via text-based file

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

Callback Phishing via a text-based file attachment and a short body and subject from an unknown sender.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCallback Phishing
Tactics and techniquesEvasion, Out of band pivot, Social engineering

Event coverage

Message attribute
attachments (collection)
body
body.current_thread
body.links (collection)
headers (collection)
headers.hops (collection)
sender.email
subject
type

Rule body MQL

type.inbound
and length(subject.subject) <= 10
// there are no links, all the links are to aka.ms, or an extraction from a warning banner that match the senders domain
and (
  length(body.links) == 0
  or length(filter(body.links,
                   (
                     .display_text is null
                     and .display_url.url == sender.email.domain.root_domain
                   )
                   or .href_url.domain.domain == "aka.ms"
                   or network.whois(.display_url.domain).days_old < 30
            )
  ) == length(body.links)
)
and (body.current_thread.text is null or length(body.current_thread.text) < 50)
and 0 < length(attachments) < 4
and any(attachments,
        (
          .content_type == "text/plain"
          or .file_type in ("doc", "docx", "xls", "xlsx")
        )
        and any(file.explode(.),
                (.depth == 0 or .flavors.mime == "text/plain")
                // 4 of the following strings are found        
                and 4 of (
                  // this section is synced with attachment_callback_phish_with_pdf.yml and body_callback_phishing_no_attachment.yml
                  strings.icontains(.scan.strings.raw, "purchase"),
                  strings.icontains(.scan.strings.raw, "payment"),
                  strings.icontains(.scan.strings.raw, "transaction"),
                  strings.icontains(.scan.strings.raw, "subscription"),
                  strings.icontains(.scan.strings.raw, "antivirus"),
                  strings.icontains(.scan.strings.raw, "order"),
                  strings.icontains(.scan.strings.raw, "support"),
                  strings.icontains(.scan.strings.raw, "help line"),
                  strings.icontains(.scan.strings.raw, "receipt"),
                  strings.icontains(.scan.strings.raw, "invoice"),
                  strings.icontains(.scan.strings.raw, "call"),
                  strings.icontains(.scan.strings.raw, "helpdesk"),
                  strings.icontains(.scan.strings.raw, "cancel"),
                  strings.icontains(.scan.strings.raw, "renew"),
                  strings.icontains(.scan.strings.raw, "refund"),
                  regex.icontains(.scan.strings.raw, "(?:reach|contact) us at"),
                  strings.icontains(.scan.strings.raw, "+1"),
                  strings.icontains(.scan.strings.raw, "amount"),
                  strings.icontains(.scan.strings.raw, "charged"),
                  strings.icontains(.scan.strings.raw, "crypto"),
                  strings.icontains(.scan.strings.raw, "wallet address"),
                  regex.icontains(.scan.strings.raw, '\$\d{3}\.\d{2}\b'),
                  regex.icontains(.scan.strings.raw,
                                  '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
                                  '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
                  ),
                )
                // this section is synced with attachment_callback_phish_with_pdf.yml and body_callback_phishing_no_attachment.yml
                and regex.icontains(.scan.strings.raw,
                                    '(p.{0,3}a.{0,3}y.{0,3}p.{0,3}a.{0,3}l|ma?c.?fee|n[o0]rt[o0]n|geek.{0,5}squad|ebay|symantec|best buy|lifel[o0]c|secure anywhere|starz|utilities premium|pc security|at&t)'
                )
        )
)
and profile.by_sender().prevalence != "common"
and not profile.by_sender().solicited
and not profile.by_sender().any_messages_benign

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and (
      any(distinct(headers.hops, .authentication_results.dmarc is not null),
          strings.ilike(.authentication_results.dmarc, "*fail")
      )
    )
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

Detection logic

Scope: inbound message.

Callback Phishing via a text-based file attachment and a short body and subject from an unknown sender.

  1. inbound message
  2. length(subject.subject) ≤ 10
  3. any of:
    • length(body.links) is 0
    • length(filter(body.links, .display_text is null and .display_url.url == sender.email.domain.root_domain or .href_url.domain.domain == 'aka.ms' or network.whois(.display_url.domain).days_old < 30)) is length(body.links)
  4. any of:
    • body.current_thread.text is missing
    • length(body.current_thread.text) < 50
  5. all of:
    • length(attachments) > 0
    • length(attachments) < 4
  6. any of attachments where all hold:
    • any of:
      • .content_type is 'text/plain'
      • .file_type in ('doc', 'docx', 'xls', 'xlsx')
    • any of file.explode(.) where all hold:
      • any of:
        • .depth is 0
        • .flavors.mime is 'text/plain'
      • at least 4 of:
        • .scan.strings.raw contains 'purchase'
        • .scan.strings.raw contains 'payment'
        • .scan.strings.raw contains 'transaction'
        • .scan.strings.raw contains 'subscription'
        • .scan.strings.raw contains 'antivirus'
        • .scan.strings.raw contains 'order'
        • .scan.strings.raw contains 'support'
        • .scan.strings.raw contains 'help line'
        • .scan.strings.raw contains 'receipt'
        • .scan.strings.raw contains 'invoice'
        • .scan.strings.raw contains 'call'
        • .scan.strings.raw contains 'helpdesk'
        • .scan.strings.raw contains 'cancel'
        • .scan.strings.raw contains 'renew'
        • .scan.strings.raw contains 'refund'
        • .scan.strings.raw matches '(?:reach|contact) us at'
        • .scan.strings.raw contains '+1'
        • .scan.strings.raw contains 'amount'
        • .scan.strings.raw contains 'charged'
        • .scan.strings.raw contains 'crypto'
        • .scan.strings.raw contains 'wallet address'
        • .scan.strings.raw matches '\\$\\d{3}\\.\\d{2}\\b'
        • .scan.strings.raw matches any of 2 patterns
          • \+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}
          • \+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}
      • .scan.strings.raw matches '(p.{0,3}a.{0,3}y.{0,3}p.{0,3}a.{0,3}l|ma?c.?fee|n[o0]rt[o0]n|geek.{0,5}squad|ebay|symantec|best buy|lifel[o0]c|secure anywhere|starz|utilities premium|pc security|at&t)'
  7. profile.by_sender().prevalence is not 'common'
  8. not:
    • profile.by_sender().solicited
  9. not:
    • profile.by_sender().any_messages_benign
  10. any of:
    • all of:
      • sender.email.domain.root_domain in $high_trust_sender_root_domains
      • any of distinct(headers.hops) where:
        • .authentication_results.dmarc matches '*fail'
    • sender.email.domain.root_domain not in $high_trust_sender_root_domains

Inspects: attachments[].content_type, attachments[].file_type, body.current_thread.text, body.links, body.links[].display_text, body.links[].display_url.domain, body.links[].display_url.url, body.links[].href_url.domain.domain, headers.hops, headers.hops[].authentication_results.dmarc, sender.email.domain.root_domain, subject.subject, type.inbound. Sensors: file.explode, network.whois, profile.by_sender, regex.icontains, strings.icontains, strings.ilike. Reference lists: $high_trust_sender_root_domains.

Indicators matched (33)

FieldMatchValue
body.links[].href_url.domain.domainequalsaka.ms
attachments[].content_typeequalstext/plain
attachments[].file_typememberdoc
attachments[].file_typememberdocx
attachments[].file_typememberxls
attachments[].file_typememberxlsx
file.explode(attachments[])[].flavors.mimeequalstext/plain
strings.icontainssubstringpurchase
strings.icontainssubstringpayment
strings.icontainssubstringtransaction
strings.icontainssubstringsubscription
strings.icontainssubstringantivirus
21 more
strings.icontainssubstringorder
strings.icontainssubstringsupport
strings.icontainssubstringhelp line
strings.icontainssubstringreceipt
strings.icontainssubstringinvoice
strings.icontainssubstringcall
strings.icontainssubstringhelpdesk
strings.icontainssubstringcancel
strings.icontainssubstringrenew
strings.icontainssubstringrefund
regex.icontainsregex(?:reach|contact) us at
strings.icontainssubstring+1
strings.icontainssubstringamount
strings.icontainssubstringcharged
strings.icontainssubstringcrypto
strings.icontainssubstringwallet address
regex.icontainsregex\$\d{3}\.\d{2}\b
regex.icontainsregex\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}
regex.icontainsregex\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}
regex.icontainsregex(p.{0,3}a.{0,3}y.{0,3}p.{0,3}a.{0,3}l|ma?c.?fee|n[o0]rt[o0]n|geek.{0,5}squad|ebay|symantec|best buy|lifel[o0]c|secure anywhere|starz|utilities premium|pc security|at&t)
strings.ilikesubstring*fail