detection.wiki

Detection rules › Sublime MQL

Callback phishing solicitation in message body

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

A fraudulent invoice/receipt found in the body of the message. Callback phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCallback Phishing
Tactics and techniquesFree email provider, Impersonation: Brand, Out of band pivot, Social engineering

Event coverage

Message attribute
body.current_thread
headers (collection)
headers.auth_summary
recipients
recipients.to (collection)
sender.email
type

Rule body MQL

type.inbound
and length(attachments) == 0
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
and (
  sender.email.domain.root_domain in $free_email_providers
  or sender.email.domain.tld in $suspicious_tlds
  or network.whois(sender.email.domain).found == false
  or headers.mailer in~ ("Microsoft CDO for Windows 2000")
  or (
    length(recipients.to) == 1
    and all(recipients.to, .email.domain.domain not in $org_domains)
  )
)
and (
  // this section is synced with attachment_callback_phish_with_pdf.yml and attachment_callback_phish_with_img.yml
  regex.icontains(body.current_thread.text,
                  '(p.{0,3}a.{0,3}y.{0,3}p.{0,3}a.{0,3}l|ma?c.?fee|n[o0]rt[o0]n|geek.{0,5}squad|ebay|symantec|best buy|lifel[o0]c|secure anywhere|starz|utilities premium|pc security|at&t)'
  )
  or any(ml.logo_detect(file.message_screenshot()).brands,
         .name in ("PayPal", "Norton", "GeekSquad", "Ebay", "McAfee", "AT&T")
  )
  //
  // This rule makes use of a beta feature and is subject to change without notice
  // using the beta feature in custom rules is not suggested until it has been formally released
  //
  or regex.icontains(beta.ocr(file.message_screenshot()).text,
                     '(p.{0,3}a.{0,3}y.{0,3}p.{0,3}a.{0,3}l|ma?c.?fee|n[o0]rt[o0]n|geek.{0,5}squad|ebay|symantec|best buy|lifel[o0]c|secure anywhere|starz|utilities premium|pc security|at&t)'
  )
)
and length(body.current_thread.text) < 1750
and (
  (
    // this seciton is synced with attachment_callback_phish_with_img.yml and attachment_callback_phish_with_pdf.yml
    // however, the 3 of logic and requiring a phone number is specific to this rule in order to reduce FPs
    // caused by messages which mention cancelling or otherwise managing a subscription
    // it is also synced and below for message_screenshot OCR output
    3 of (
      strings.icontains(body.current_thread.text, 'purchase'),
      strings.icontains(body.current_thread.text, 'payment'),
      strings.icontains(body.current_thread.text, 'transaction'),
      strings.icontains(body.current_thread.text, 'subscription'),
      strings.icontains(body.current_thread.text, 'antivirus'),
      strings.icontains(body.current_thread.text, 'order'),
      strings.icontains(body.current_thread.text, 'support'),
      strings.icontains(body.current_thread.text, 'help line'),
      strings.icontains(body.current_thread.text, 'receipt'),
      strings.icontains(body.current_thread.text, 'invoice'),
      strings.icontains(body.current_thread.text, 'call'),
      strings.icontains(body.current_thread.text, 'cancel'),
      strings.icontains(body.current_thread.text, 'renew'),
      strings.icontains(body.current_thread.text, 'refund'),
      regex.icontains(body.current_thread.text, "(?:reach|contact) us at"),
      strings.icontains(body.current_thread.text, "+1"),
      strings.icontains(body.current_thread.text, "amount"),
      strings.icontains(body.current_thread.text, "charged"),
      strings.icontains(body.current_thread.text, "crypto"),
      strings.icontains(body.current_thread.text, "wallet address"),
      regex.icontains(body.current_thread.text, '\$\d{3}\.\d{2}\b'),
    )
    // phone number regex
    and regex.icontains(body.current_thread.text,
                        '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
                        '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
    )
  )
  or (
    any(file.explode(file.message_screenshot()),
        // this seciton is synced with attachment_callback_phish_with_img.yml and attachment_callback_phish_with_pdf.yml
        // and above for current_thread.text
        3 of (
          strings.icontains(.scan.ocr.raw, 'purchase'),
          strings.icontains(.scan.ocr.raw, 'payment'),
          strings.icontains(.scan.ocr.raw, 'transaction'),
          strings.icontains(.scan.ocr.raw, 'subscription'),
          strings.icontains(.scan.ocr.raw, 'antivirus'),
          strings.icontains(.scan.ocr.raw, 'order'),
          strings.icontains(.scan.ocr.raw, 'support'),
          strings.icontains(.scan.ocr.raw, 'help line'),
          strings.icontains(.scan.ocr.raw, 'receipt'),
          strings.icontains(.scan.ocr.raw, 'invoice'),
          strings.icontains(.scan.ocr.raw, 'call'),
          strings.icontains(.scan.ocr.raw, 'helpdesk'),
          strings.icontains(.scan.ocr.raw, 'cancel'),
          strings.icontains(.scan.ocr.raw, 'renew'),
          strings.icontains(.scan.ocr.raw, 'refund'),
          regex.icontains(.scan.ocr.raw, "(?:reach|contact) us at"),
          strings.icontains(.scan.ocr.raw, '+1'),
          strings.icontains(.scan.ocr.raw, 'amount'),
          strings.icontains(.scan.ocr.raw, 'charged'),
          strings.icontains(.scan.ocr.raw, 'crypto'),
          strings.icontains(.scan.ocr.raw, 'wallet address'),
          regex.icontains(.scan.ocr.raw, '\$\d{3}\.\d{2}\b'),
        )
        // phone number regex
        and regex.icontains(.scan.ocr.raw,
                            '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
                            '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
        )

        // negate messages with previous threads.  While callback phishing with thread hijacking or with current_thread 
        // padded with whitespace and previous threads in the message has been observed, the intetion of using OCR is for image embedded callbacks
        and not regex.icount(.scan.ocr.raw, '(?:from|to|sent|date|cc|subject):') > 3
        // this notation of previous threads often only occurs once
        and not regex.icontains(.scan.ocr.raw, 'wrote:[\r\n]')
    )
  )
)
// not high trust sender domains
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
and not strings.ends_with(headers.message_id, "@shopify.com>")

Detection logic

Scope: inbound message.

A fraudulent invoice/receipt found in the body of the message. Callback phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.

  1. inbound message
  2. length(attachments) is 0
  3. any of:
    • not:
      • profile.by_sender().solicited
    • all of:
      • profile.by_sender().any_messages_malicious_or_spam
      • not:
        • profile.by_sender().any_messages_benign
  4. any of:
    • sender.email.domain.root_domain in $free_email_providers
    • sender.email.domain.tld in $suspicious_tlds
    • network.whois(sender.email.domain).found is False
    • headers.mailer in ('Microsoft CDO for Windows 2000')
    • all of:
      • length(recipients.to) is 1
      • all of recipients.to where:
        • .email.domain.domain not in $org_domains
  5. any of:
    • body.current_thread.text matches '(p.{0,3}a.{0,3}y.{0,3}p.{0,3}a.{0,3}l|ma?c.?fee|n[o0]rt[o0]n|geek.{0,5}squad|ebay|symantec|best buy|lifel[o0]c|secure anywhere|starz|utilities premium|pc security|at&t)'
    • any of ml.logo_detect(file.message_screenshot()).brands where:
      • .name in ('PayPal', 'Norton', 'GeekSquad', 'Ebay', 'McAfee', 'AT&T')
    • beta.ocr(file.message_screenshot()).text matches '(p.{0,3}a.{0,3}y.{0,3}p.{0,3}a.{0,3}l|ma?c.?fee|n[o0]rt[o0]n|geek.{0,5}squad|ebay|symantec|best buy|lifel[o0]c|secure anywhere|starz|utilities premium|pc security|at&t)'
  6. length(body.current_thread.text) < 1750
  7. any of:
    • all of:
      • at least 3 of:
        • body.current_thread.text contains 'purchase'
        • body.current_thread.text contains 'payment'
        • body.current_thread.text contains 'transaction'
        • body.current_thread.text contains 'subscription'
        • body.current_thread.text contains 'antivirus'
        • body.current_thread.text contains 'order'
        • body.current_thread.text contains 'support'
        • body.current_thread.text contains 'help line'
        • body.current_thread.text contains 'receipt'
        • body.current_thread.text contains 'invoice'
        • body.current_thread.text contains 'call'
        • body.current_thread.text contains 'cancel'
        • body.current_thread.text contains 'renew'
        • body.current_thread.text contains 'refund'
        • body.current_thread.text matches '(?:reach|contact) us at'
        • body.current_thread.text contains '+1'
        • body.current_thread.text contains 'amount'
        • body.current_thread.text contains 'charged'
        • body.current_thread.text contains 'crypto'
        • body.current_thread.text contains 'wallet address'
        • body.current_thread.text matches '\\$\\d{3}\\.\\d{2}\\b'
      • body.current_thread.text matches any of 2 patterns
        • \+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}
        • \+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}
    • any of file.explode(...) where all hold:
      • at least 3 of:
        • .scan.ocr.raw contains 'purchase'
        • .scan.ocr.raw contains 'payment'
        • .scan.ocr.raw contains 'transaction'
        • .scan.ocr.raw contains 'subscription'
        • .scan.ocr.raw contains 'antivirus'
        • .scan.ocr.raw contains 'order'
        • .scan.ocr.raw contains 'support'
        • .scan.ocr.raw contains 'help line'
        • .scan.ocr.raw contains 'receipt'
        • .scan.ocr.raw contains 'invoice'
        • .scan.ocr.raw contains 'call'
        • .scan.ocr.raw contains 'helpdesk'
        • .scan.ocr.raw contains 'cancel'
        • .scan.ocr.raw contains 'renew'
        • .scan.ocr.raw contains 'refund'
        • .scan.ocr.raw matches '(?:reach|contact) us at'
        • .scan.ocr.raw contains '+1'
        • .scan.ocr.raw contains 'amount'
        • .scan.ocr.raw contains 'charged'
        • .scan.ocr.raw contains 'crypto'
        • .scan.ocr.raw contains 'wallet address'
        • .scan.ocr.raw matches '\\$\\d{3}\\.\\d{2}\\b'
      • .scan.ocr.raw matches any of 2 patterns
        • \+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}
        • \+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}
      • not:
        • regex.icount(.scan.ocr.raw, '(?:from|to|sent|date|cc|subject):') > 3
      • not:
        • .scan.ocr.raw matches 'wrote:[\\r\\n]'
  8. any of:
    • all of:
      • sender.email.domain.root_domain in $high_trust_sender_root_domains
      • not:
        • headers.auth_summary.dmarc.pass
    • sender.email.domain.root_domain not in $high_trust_sender_root_domains
  9. not:
    • headers.message_id ends with '@shopify.com>'

Inspects: body.current_thread.text, headers.auth_summary.dmarc.pass, headers.mailer, headers.message_id, recipients.to, recipients.to[].email.domain.domain, sender.email.domain, sender.email.domain.root_domain, sender.email.domain.tld, type.inbound. Sensors: beta.ocr, file.explode, file.message_screenshot, ml.logo_detect, network.whois, profile.by_sender, regex.icontains, regex.icount, strings.ends_with, strings.icontains. Reference lists: $free_email_providers, $high_trust_sender_root_domains, $org_domains, $suspicious_tlds.

Indicators matched (35)

FieldMatchValue
headers.mailermemberMicrosoft CDO for Windows 2000
regex.icontainsregex(p.{0,3}a.{0,3}y.{0,3}p.{0,3}a.{0,3}l|ma?c.?fee|n[o0]rt[o0]n|geek.{0,5}squad|ebay|symantec|best buy|lifel[o0]c|secure anywhere|starz|utilities premium|pc security|at&t)
ml.logo_detect(file.message_screenshot()).brands[].namememberPayPal
ml.logo_detect(file.message_screenshot()).brands[].namememberNorton
ml.logo_detect(file.message_screenshot()).brands[].namememberGeekSquad
ml.logo_detect(file.message_screenshot()).brands[].namememberEbay
ml.logo_detect(file.message_screenshot()).brands[].namememberMcAfee
ml.logo_detect(file.message_screenshot()).brands[].namememberAT&T
strings.icontainssubstringpurchase
strings.icontainssubstringpayment
strings.icontainssubstringtransaction
strings.icontainssubstringsubscription
23 more
strings.icontainssubstringantivirus
strings.icontainssubstringorder
strings.icontainssubstringsupport
strings.icontainssubstringhelp line
strings.icontainssubstringreceipt
strings.icontainssubstringinvoice
strings.icontainssubstringcall
strings.icontainssubstringcancel
strings.icontainssubstringrenew
strings.icontainssubstringrefund
regex.icontainsregex(?:reach|contact) us at
strings.icontainssubstring+1
strings.icontainssubstringamount
strings.icontainssubstringcharged
strings.icontainssubstringcrypto
strings.icontainssubstringwallet address
regex.icontainsregex\$\d{3}\.\d{2}\b
regex.icontainsregex\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}
regex.icontainsregex\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}
strings.icontainssubstringhelpdesk
regex.icountregex(?:from|to|sent|date|cc|subject):
regex.icontainsregexwrote:[\r\n]
strings.ends_withsuffix@shopify.com>