detection.wiki

Detection rules › Sublime MQL

Callback phishing via extensionless rfc822 attachment

Severity
high
Type
rule
Source
github.com/sublime-security/sublime-rules

This rule detects messages with an unknown file_type (extensionless) and a content_type of 'message/rfc822' containing an image file with Callback Phishing indicators.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCallback Phishing
Tactics and techniquesImpersonation: Brand, Social engineering

Event coverage

Message attribute
attachments (collection)
body.current_thread
headers.auth_summary
sender.email
type

Rule body MQL

type.inbound
and any(attachments,
        .file_type == "unknown"
        and (.content_type == "message/rfc822" or .file_extension in ('eml'))
        and any(file.explode(.),
                strings.starts_with(.flavors.mime, "image")

                // and Image contains callback phishing indicators
                and 4 of (
                  strings.icontains(.scan.ocr.raw, "purchase"),
                  strings.icontains(.scan.ocr.raw, "subscription"),
                  strings.icontains(.scan.ocr.raw, "antivirus"),
                  strings.icontains(.scan.ocr.raw, "order"),
                  strings.icontains(.scan.ocr.raw, "support"),
                  strings.icontains(.scan.ocr.raw, "receipt"),
                  strings.icontains(.scan.ocr.raw, "amount"),
                  strings.icontains(.scan.ocr.raw, "charged"),
                  strings.icontains(.scan.ocr.raw, "invoice"),
                  strings.icontains(.scan.ocr.raw, "call"),
                  strings.icontains(.scan.ocr.raw, "cancel"),
                  strings.icontains(.scan.ocr.raw, "renew"),
                  strings.icontains(.scan.ocr.raw, "refund"),
                  strings.icontains(.scan.ocr.raw, "+1")
                )
        )
        and any(file.explode(.),
                strings.ilike(.scan.ocr.raw,
                              "*geek*squad*",
                              "*lifelock*",
                              "*best buy*",
                              "*mcafee*",
                              "*norton*",
                              "*ebay*",
                              "*paypal*",
                              "*secure anywhere*"
                )
                or any(ml.nlu_classifier(.scan.ocr.raw).intents,
                       .name in ("callback_scam")
                       and .confidence == "high"
                       and length(body.current_thread.text) < 1500
                )
        )
)
and (
  not profile.by_sender().solicited
  and not profile.by_sender().any_messages_benign
)

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

Detection logic

Scope: inbound message.

This rule detects messages with an unknown file_type (extensionless) and a content_type of 'message/rfc822' containing an image file with Callback Phishing indicators.

  1. inbound message
  2. any of attachments where all hold:
    • .file_type is 'unknown'
    • any of:
      • .content_type is 'message/rfc822'
      • .file_extension in ('eml')
    • any of file.explode(.) where all hold:
      • .flavors.mime starts with 'image'
      • at least 4 of 14: .scan.ocr.raw contains any of 14 patterns
        • purchase
        • subscription
        • antivirus
        • order
        • support
        • receipt
        • amount
        • charged
        • invoice
        • call
        • cancel
        • renew
        • refund
        • +1
    • any of file.explode(.) where any holds:
      • .scan.ocr.raw matches any of 8 patterns
        • *geek*squad*
        • *lifelock*
        • *best buy*
        • *mcafee*
        • *norton*
        • *ebay*
        • *paypal*
        • *secure anywhere*
      • any of ml.nlu_classifier(.scan.ocr.raw).intents where all hold:
        • .name in ('callback_scam')
        • .confidence is 'high'
        • length(body.current_thread.text) < 1500
  3. all of:
    • not:
      • profile.by_sender().solicited
    • not:
      • profile.by_sender().any_messages_benign
  4. any of:
    • all of:
      • sender.email.domain.root_domain in $high_trust_sender_root_domains
      • not:
        • headers.auth_summary.dmarc.pass
    • sender.email.domain.root_domain not in $high_trust_sender_root_domains

Inspects: attachments[].content_type, attachments[].file_extension, attachments[].file_type, body.current_thread.text, headers.auth_summary.dmarc.pass, sender.email.domain.root_domain, type.inbound. Sensors: file.explode, ml.nlu_classifier, profile.by_sender, strings.icontains, strings.ilike, strings.starts_with. Reference lists: $high_trust_sender_root_domains.

Indicators matched (28)

FieldMatchValue
attachments[].file_typeequalsunknown
attachments[].content_typeequalsmessage/rfc822
attachments[].file_extensionmembereml
strings.starts_withprefiximage
strings.icontainssubstringpurchase
strings.icontainssubstringsubscription
strings.icontainssubstringantivirus
strings.icontainssubstringorder
strings.icontainssubstringsupport
strings.icontainssubstringreceipt
strings.icontainssubstringamount
strings.icontainssubstringcharged
16 more
strings.icontainssubstringinvoice
strings.icontainssubstringcall
strings.icontainssubstringcancel
strings.icontainssubstringrenew
strings.icontainssubstringrefund
strings.icontainssubstring+1
strings.ilikesubstring*geek*squad*
strings.ilikesubstring*lifelock*
strings.ilikesubstring*best buy*
strings.ilikesubstring*mcafee*
strings.ilikesubstring*norton*
strings.ilikesubstring*ebay*
strings.ilikesubstring*paypal*
strings.ilikesubstring*secure anywhere*
ml.nlu_classifier(file.explode(attachments[])[].scan.ocr.raw).intents[].namemembercallback_scam
ml.nlu_classifier(file.explode(attachments[])[].scan.ocr.raw).intents[].confidenceequalshigh