Detection rules › Sublime MQL
Callback phishing: SumUp infrastructure abuse
A fraudulent invoice/receipt found in the body of the message sent by exploiting SumUp's receipt email service.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | BEC/Fraud, Callback Phishing |
| Tactics and techniques | Evasion, Social engineering |
Event coverage
| Message attribute |
|---|
| body.current_thread |
| body.html |
| sender.email |
| type |
Rule body MQL
type.inbound
and sender.email.domain.root_domain in ("sumup.com")
and (
strings.ilike(body.html.display_text, "*delivery note*")
or strings.ilike(body.html.display_text, "*made with sumup*")
)
// keep in sync with https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/paypal_invoice_abuse.yml
and (
(
// icontains a phone number
(
regex.icontains(strings.replace_confusables(body.current_thread.text),
'.*\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}.*\n'
)
or regex.icontains(strings.replace_confusables(body.current_thread.text),
'.*\+[ilo0-9]{1,3}[ilo0-9]{10}.*\n'
)
// +12028001238
or regex.icontains(strings.replace_confusables(body.current_thread.text),
'.*[ilo0-9]{3}\.[ilo0-9]{3}\.[ilo0-9]{4}.*\n'
)
// 202-800-1238
or regex.icontains(strings.replace_confusables(body.current_thread.text),
'.*[ilo0-9]{3}-[ilo0-9]{3}-[ilo0-9]{4}.*\n'
)
// (202) 800-1238
or regex.icontains(strings.replace_confusables(body.current_thread.text),
'.*\([ilo0-9]{3}\)[\s-]+[ilo0-9]{3}[\s-]+[ilo0-9]{4}.*\n'
)
// (202)-800-1238
or regex.icontains(strings.replace_confusables(body.current_thread.text),
'.*\([ilo0-9]{3}\)-[ilo0-9]{3}-[ilo0-9]{4}.*\n'
)
or ( // 8123456789
regex.icontains(strings.replace_confusables(body.current_thread.text),
'.*8[ilo0-9]{9}.*\n'
)
and regex.icontains(strings.replace_confusables(body.current_thread.text
),
'\+[1l]'
)
)
)
and (
(
4 of (
strings.ilike(body.html.inner_text, '*you did not*'),
strings.ilike(body.html.inner_text, '*is not for*'),
strings.ilike(body.html.inner_text, '*done by you*'),
regex.icontains(body.html.inner_text, "didn\'t ma[kd]e this"),
strings.ilike(body.html.inner_text, '*Fruad Alert*'),
strings.ilike(body.html.inner_text, '*Fraud Alert*'),
strings.ilike(body.html.inner_text, '*fraudulent*'),
strings.ilike(body.html.inner_text, '*using your PayPal*'),
strings.ilike(body.html.inner_text, '*subscription*'),
strings.ilike(body.html.inner_text, '*antivirus*'),
strings.ilike(body.html.inner_text, '*order*'),
strings.ilike(body.html.inner_text, '*support*'),
strings.ilike(body.html.inner_text, '*sincerely apologize*'),
strings.ilike(body.html.inner_text, '*receipt*'),
strings.ilike(body.html.inner_text, '*invoice*'),
strings.ilike(body.html.inner_text, '*Purchase*'),
strings.ilike(body.html.inner_text, '*transaction*'),
strings.ilike(body.html.inner_text, '*Market*Value*'),
strings.ilike(body.html.inner_text, '*BTC*'),
strings.ilike(body.html.inner_text, '*call*'),
strings.ilike(body.html.inner_text, '*get in touch with our*'),
strings.ilike(body.html.inner_text, '*quickly inform*'),
strings.ilike(body.html.inner_text, '*quickly reach *'),
strings.ilike(body.html.inner_text, '*detected unusual transactions*'),
strings.ilike(body.html.inner_text, '*without your authorization*'),
strings.ilike(body.html.inner_text, '*cancel*'),
strings.ilike(body.html.inner_text, '*renew*'),
strings.ilike(body.html.inner_text, '*refund*'),
strings.ilike(body.html.inner_text, '*+1*'),
regex.icontains(body.html.inner_text, 'help.{0,3}desk'),
strings.ilike(body.html.inner_text, '* your funds*'),
strings.ilike(body.html.inner_text, '* your checking*'),
strings.ilike(body.html.inner_text, '* your saving*'),
strings.ilike(body.html.inner_text, '*transfer*'),
strings.ilike(body.html.inner_text, '*secure your account*'),
strings.ilike(body.html.inner_text, '*recover your*'),
strings.ilike(body.html.inner_text, '*unusual activity*'),
strings.ilike(body.html.inner_text, '*suspicious transaction*'),
strings.ilike(body.html.inner_text, '*transaction history*'),
strings.ilike(body.html.inner_text, '*please ignore this*'),
strings.ilike(body.html.inner_text, '*report activity*'),
)
)
or regex.icontains(body.current_thread.text,
'note from.{0,50}(?:call|reach|contact|paypal)'
)
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "callback_scam"
)
or (
// Unicode confusables words obfuscated in note
regex.icontains(body.html.inner_text,
'\+𝟭|𝗽𝗮𝘆𝗺𝗲𝗻𝘁|𝗛𝗲𝗹𝗽 𝗗𝗲𝘀𝗸|𝗿𝗲𝗳𝘂𝗻𝗱|𝗮𝗻𝘁𝗶𝘃𝗶𝗿𝘂𝘀|𝗰𝗮𝗹𝗹|𝗰𝗮𝗻𝗰𝗲𝗹'
)
)
or strings.ilike(body.html.inner_text, '*kindly*')
)
)
)
Detection logic
Scope: inbound message.
A fraudulent invoice/receipt found in the body of the message sent by exploiting SumUp's receipt email service.
- inbound message
- sender.email.domain.root_domain in ('sumup.com')
any of:
- body.html.display_text matches '*delivery note*'
- body.html.display_text matches '*made with sumup*'
all of:
any of:
- strings.replace_confusables(body.current_thread.text) matches '.*\\+?([ilo0-9]{1}.)?\\(?[ilo0-9]{3}?\\)?.[ilo0-9]{3}.?[ilo0-9]{4}.*\\n'
- strings.replace_confusables(body.current_thread.text) matches '.*\\+[ilo0-9]{1,3}[ilo0-9]{10}.*\\n'
- strings.replace_confusables(body.current_thread.text) matches '.*[ilo0-9]{3}\\.[ilo0-9]{3}\\.[ilo0-9]{4}.*\\n'
- strings.replace_confusables(body.current_thread.text) matches '.*[ilo0-9]{3}-[ilo0-9]{3}-[ilo0-9]{4}.*\\n'
- strings.replace_confusables(body.current_thread.text) matches '.*\\([ilo0-9]{3}\\)[\\s-]+[ilo0-9]{3}[\\s-]+[ilo0-9]{4}.*\\n'
- strings.replace_confusables(body.current_thread.text) matches '.*\\([ilo0-9]{3}\\)-[ilo0-9]{3}-[ilo0-9]{4}.*\\n'
all of:
- strings.replace_confusables(body.current_thread.text) matches '.*8[ilo0-9]{9}.*\\n'
- strings.replace_confusables(body.current_thread.text) matches '\\+[1l]'
any of:
at least 4 of 41: body.html.inner_text matches any of 41 patterns
*you did not**is not for**done by you*didn\'t ma[kd]e this*Fruad Alert**Fraud Alert**fraudulent**using your PayPal**subscription**antivirus**order**support**sincerely apologize**receipt**invoice**Purchase**transaction**Market*Value**BTC**call**get in touch with our**quickly inform**quickly reach **detected unusual transactions**without your authorization**cancel**renew**refund**+1*help.{0,3}desk* your funds** your checking** your saving**transfer**secure your account**recover your**unusual activity**suspicious transaction**transaction history**please ignore this**report activity*
- body.current_thread.text matches 'note from.{0,50}(?:call|reach|contact|paypal)'
any of
ml.nlu_classifier(body.current_thread.text).intentswhere:- .name is 'callback_scam'
- body.html.inner_text matches '\\+𝟭|𝗽𝗮𝘆𝗺𝗲𝗻𝘁|𝗛𝗲𝗹𝗽 𝗗𝗲𝘀𝗸|𝗿𝗲𝗳𝘂𝗻𝗱|𝗮𝗻𝘁𝗶𝘃𝗶𝗿𝘂𝘀|𝗰𝗮𝗹𝗹|𝗰𝗮𝗻𝗰𝗲𝗹'
- body.html.inner_text matches '*kindly*'
Inspects: body.current_thread.text, body.html.display_text, body.html.inner_text, sender.email.domain.root_domain, type.inbound. Sensors: ml.nlu_classifier, regex.icontains, strings.ilike, strings.replace_confusables.
Indicators matched (56)
| Field | Match | Value |
|---|---|---|
sender.email.domain.root_domain | member | sumup.com |
strings.ilike | substring | *delivery note* |
strings.ilike | substring | *made with sumup* |
regex.icontains | regex | .*\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}.*\n |
regex.icontains | regex | .*\+[ilo0-9]{1,3}[ilo0-9]{10}.*\n |
regex.icontains | regex | .*[ilo0-9]{3}\.[ilo0-9]{3}\.[ilo0-9]{4}.*\n |
regex.icontains | regex | .*[ilo0-9]{3}-[ilo0-9]{3}-[ilo0-9]{4}.*\n |
regex.icontains | regex | .*\([ilo0-9]{3}\)[\s-]+[ilo0-9]{3}[\s-]+[ilo0-9]{4}.*\n |
regex.icontains | regex | .*\([ilo0-9]{3}\)-[ilo0-9]{3}-[ilo0-9]{4}.*\n |
regex.icontains | regex | .*8[ilo0-9]{9}.*\n |
regex.icontains | regex | \+[1l] |
strings.ilike | substring | *you did not* |
44 more
strings.ilike | substring | *is not for* |
strings.ilike | substring | *done by you* |
regex.icontains | regex | didn\'t ma[kd]e this |
strings.ilike | substring | *Fruad Alert* |
strings.ilike | substring | *Fraud Alert* |
strings.ilike | substring | *fraudulent* |
strings.ilike | substring | *using your PayPal* |
strings.ilike | substring | *subscription* |
strings.ilike | substring | *antivirus* |
strings.ilike | substring | *order* |
strings.ilike | substring | *support* |
strings.ilike | substring | *sincerely apologize* |
strings.ilike | substring | *receipt* |
strings.ilike | substring | *invoice* |
strings.ilike | substring | *Purchase* |
strings.ilike | substring | *transaction* |
strings.ilike | substring | *Market*Value* |
strings.ilike | substring | *BTC* |
strings.ilike | substring | *call* |
strings.ilike | substring | *get in touch with our* |
strings.ilike | substring | *quickly inform* |
strings.ilike | substring | *quickly reach * |
strings.ilike | substring | *detected unusual transactions* |
strings.ilike | substring | *without your authorization* |
strings.ilike | substring | *cancel* |
strings.ilike | substring | *renew* |
strings.ilike | substring | *refund* |
strings.ilike | substring | *+1* |
regex.icontains | regex | help.{0,3}desk |
strings.ilike | substring | * your funds* |
strings.ilike | substring | * your checking* |
strings.ilike | substring | * your saving* |
strings.ilike | substring | *transfer* |
strings.ilike | substring | *secure your account* |
strings.ilike | substring | *recover your* |
strings.ilike | substring | *unusual activity* |
strings.ilike | substring | *suspicious transaction* |
strings.ilike | substring | *transaction history* |
strings.ilike | substring | *please ignore this* |
strings.ilike | substring | *report activity* |
regex.icontains | regex | note from.{0,50}(?:call|reach|contact|paypal) |
ml.nlu_classifier(body.current_thread.text).intents[].name | equals | callback_scam |
regex.icontains | regex | \+𝟭|𝗽𝗮𝘆𝗺𝗲𝗻𝘁|𝗛𝗲𝗹𝗽 𝗗𝗲𝘀𝗸|𝗿𝗲𝗳𝘂𝗻𝗱|𝗮𝗻𝘁𝗶𝘃𝗶𝗿𝘂𝘀|𝗰𝗮𝗹𝗹|𝗰𝗮𝗻𝗰𝗲𝗹 |
strings.ilike | substring | *kindly* |