Detection rules › Sublime MQL
Callback phishing via Zelle Service Abuse
Callback phishing campaigns have been observed abusing Zelle services to send fraudulent payment requests with callback phishing contents.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | BEC/Fraud, Callback Phishing |
| Tactics and techniques | Evasion, Social engineering |
Event coverage
| Message attribute |
|---|
| body.current_thread |
| body.html |
| sender.email |
| subject |
| type |
Rule body MQL
type.inbound
and length(attachments) == 0
and sender.email.domain.root_domain in ("zellepay.com")
and (
// only seeing payment requests abused
strings.ilike(body.html.display_text, "* requested*")
// phone number in subject
// the subject contains the seller's "name", attacks have been seen with the entire callback text in the seller's name
or (
regex.icontains(strings.replace_confusables(subject.subject),
'.*\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}.*'
)
or regex.icontains(strings.replace_confusables(subject.subject),
'.*\+[ilo0-9]{1,3}[ilo0-9]{10}.*'
)
// +12028001238
or regex.icontains(strings.replace_confusables(subject.subject),
'.*[ilo0-9]{3}\.[ilo0-9]{3}\.[ilo0-9]{4}.*'
)
// 202-800-1238
or regex.icontains(strings.replace_confusables(subject.subject),
'.*[ilo0-9]{3}-[ilo0-9]{3}-[ilo0-9]{4}.*'
)
// (202) 800-1238
or regex.icontains(strings.replace_confusables(subject.subject),
'.*\([ilo0-9]{3}\)[\s-]+[ilo0-9]{3}[\s-]+[ilo0-9]{4}.*'
)
// (202)-800-1238
or regex.icontains(strings.replace_confusables(subject.subject),
'.*\([ilo0-9]{3}\)-[ilo0-9]{3}-[ilo0-9]{4}.*'
)
or ( // 8123456789
regex.icontains(strings.replace_confusables(subject.subject),
'.*8[ilo0-9]{9}.*'
)
and regex.icontains(strings.replace_confusables(subject.subject),
'\+[1li]'
)
)
)
)
and (
(
// icontains a phone number within the memo section (wrapped in quotes)
(
regex.icontains(strings.replace_confusables(body.current_thread.text),
'\".*\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}.*\"'
)
or regex.icontains(strings.replace_confusables(body.current_thread.text),
'\".*\+[ilo0-9]{1,3}[ilo0-9]{10}.*\"'
)
// +12028001238
or regex.icontains(strings.replace_confusables(body.current_thread.text),
'\".*[ilo0-9]{3}\.[ilo0-9]{3}\.[ilo0-9]{4}.*\"'
)
// 202-800-1238
or regex.icontains(strings.replace_confusables(body.current_thread.text),
'\".*[ilo0-9]{3}-[ilo0-9]{3}-[ilo0-9]{4}.*\"'
)
// (202) 800-1238
or regex.icontains(strings.replace_confusables(body.current_thread.text),
'\".*\([ilo0-9]{3}\)\s[ilo0-9]{3}-[ilo0-9]{4}.*\"'
)
// (202)-800-1238
or regex.icontains(strings.replace_confusables(body.current_thread.text),
'\".*\([ilo0-9]{3}\)-[ilo0-9]{3}-[ilo0-9]{4}.*\"'
)
or ( // 8123456789
regex.icontains(strings.replace_confusables(body.current_thread.text),
'\".*8[ilo0-9]{9}.*\"'
)
and regex.icontains(strings.replace_confusables(body.current_thread.text
),
'\".*\+[1li].*\"'
)
)
)
and (
(
4 of (
strings.ilike(body.html.inner_text, '*"*you did not*"*'),
strings.ilike(body.html.inner_text, '*"*is not for*"*'),
strings.ilike(body.html.inner_text, '*"*done by you*"*'),
regex.icontains(body.html.inner_text, "\".*didn\'t ma[kd]e this.*\""),
strings.ilike(body.html.inner_text, '*"*Fruad Alert*"*'),
strings.ilike(body.html.inner_text, '*"*Fraud Alert*"*'),
strings.ilike(body.html.inner_text, '*"*fraudulent*"*'),
strings.ilike(body.html.inner_text, '*"*Zelle*"*'),
strings.ilike(body.html.inner_text, '*"*subscription*"*'),
strings.ilike(body.html.inner_text, '*"*antivirus*"*'),
strings.ilike(body.html.inner_text, '*"*order*"*'),
strings.ilike(body.html.inner_text, '*"*support*"*'),
strings.ilike(body.html.inner_text, '*"*sincerely apologize*"*'),
strings.ilike(body.html.inner_text, '*"*receipt*"*'),
strings.ilike(body.html.inner_text, '*"*invoice*"*'),
strings.ilike(body.html.inner_text, '*"*Purchase*"*'),
strings.ilike(body.html.inner_text, '*"*transaction*"*'),
strings.ilike(body.html.inner_text, '*"*Market*Value*"*'),
strings.ilike(body.html.inner_text, '*"*BTC*"*'),
strings.ilike(body.html.inner_text, '*"*call*"*'),
strings.ilike(body.html.inner_text, '*"*get in touch with our*"*'),
strings.ilike(body.html.inner_text, '*"*quickly inform*"*'),
strings.ilike(body.html.inner_text, '*"*quickly reach*"*'),
strings.ilike(body.html.inner_text,
'*"*detected unusual transactions*'
),
strings.ilike(body.html.inner_text,
'*"*without your authorization*"*'
),
strings.ilike(body.html.inner_text, '*"*cancel*"*'),
strings.ilike(body.html.inner_text, '*"*renew*"*'),
strings.ilike(body.html.inner_text, '*"*refund*"*'),
strings.ilike(body.html.inner_text, '*"*+1*"*'),
regex.icontains(body.html.inner_text, '\"help.{0,3}desk'),
strings.ilike(body.html.inner_text, '*"* your funds*"*'),
strings.ilike(body.html.inner_text, '*"* your checking*"*'),
strings.ilike(body.html.inner_text, '*"* your saving*"*'),
strings.ilike(body.html.inner_text, '*"*transfer*"*'),
strings.ilike(body.html.inner_text, '*"*secure your account*"*'),
strings.ilike(body.html.inner_text, '*"*recover your *"*'),
)
)
or regex.icontains(body.current_thread.text,
'note from.{0,50}(?:call|reach|contact|paypal)'
)
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "callback_scam"
)
or (
// Unicode confusables words obfuscated in note
regex.icontains(body.html.inner_text,
'\+𝟭|𝗽𝗮𝘆𝗺𝗲𝗻𝘁|𝗛𝗲𝗹𝗽 𝗗𝗲𝘀𝗸|𝗿𝗲𝗳𝘂𝗻𝗱|𝗮𝗻𝘁𝗶𝘃𝗶𝗿𝘂𝘀|𝗰𝗮𝗹𝗹|𝗰𝗮𝗻𝗰𝗲𝗹'
)
)
or strings.ilike(body.html.inner_text, '*"*kindly*"*')
)
)
)
Detection logic
Scope: inbound message.
Callback phishing campaigns have been observed abusing Zelle services to send fraudulent payment requests with callback phishing contents.
- inbound message
- length(attachments) is 0
- sender.email.domain.root_domain in ('zellepay.com')
any of:
- body.html.display_text matches '* requested*'
any of:
- strings.replace_confusables(subject.subject) matches '.*\\+?([ilo0-9]{1}.)?\\(?[ilo0-9]{3}?\\)?.[ilo0-9]{3}.?[ilo0-9]{4}.*'
- strings.replace_confusables(subject.subject) matches '.*\\+[ilo0-9]{1,3}[ilo0-9]{10}.*'
- strings.replace_confusables(subject.subject) matches '.*[ilo0-9]{3}\\.[ilo0-9]{3}\\.[ilo0-9]{4}.*'
- strings.replace_confusables(subject.subject) matches '.*[ilo0-9]{3}-[ilo0-9]{3}-[ilo0-9]{4}.*'
- strings.replace_confusables(subject.subject) matches '.*\\([ilo0-9]{3}\\)[\\s-]+[ilo0-9]{3}[\\s-]+[ilo0-9]{4}.*'
- strings.replace_confusables(subject.subject) matches '.*\\([ilo0-9]{3}\\)-[ilo0-9]{3}-[ilo0-9]{4}.*'
all of:
- strings.replace_confusables(subject.subject) matches '.*8[ilo0-9]{9}.*'
- strings.replace_confusables(subject.subject) matches '\\+[1li]'
all of:
any of:
- strings.replace_confusables(body.current_thread.text) matches '\\".*\\+?([ilo0-9]{1}.)?\\(?[ilo0-9]{3}?\\)?.[ilo0-9]{3}.?[ilo0-9]{4}.*\\"'
- strings.replace_confusables(body.current_thread.text) matches '\\".*\\+[ilo0-9]{1,3}[ilo0-9]{10}.*\\"'
- strings.replace_confusables(body.current_thread.text) matches '\\".*[ilo0-9]{3}\\.[ilo0-9]{3}\\.[ilo0-9]{4}.*\\"'
- strings.replace_confusables(body.current_thread.text) matches '\\".*[ilo0-9]{3}-[ilo0-9]{3}-[ilo0-9]{4}.*\\"'
- strings.replace_confusables(body.current_thread.text) matches '\\".*\\([ilo0-9]{3}\\)\\s[ilo0-9]{3}-[ilo0-9]{4}.*\\"'
- strings.replace_confusables(body.current_thread.text) matches '\\".*\\([ilo0-9]{3}\\)-[ilo0-9]{3}-[ilo0-9]{4}.*\\"'
all of:
- strings.replace_confusables(body.current_thread.text) matches '\\".*8[ilo0-9]{9}.*\\"'
- strings.replace_confusables(body.current_thread.text) matches '\\".*\\+[1li].*\\"'
any of:
at least 4 of 36: body.html.inner_text matches any of 36 patterns
*"*you did not*"**"*is not for*"**"*done by you*"*\".*didn\'t ma[kd]e this.*\"*"*Fruad Alert*"**"*Fraud Alert*"**"*fraudulent*"**"*Zelle*"**"*subscription*"**"*antivirus*"**"*order*"**"*support*"**"*sincerely apologize*"**"*receipt*"**"*invoice*"**"*Purchase*"**"*transaction*"**"*Market*Value*"**"*BTC*"**"*call*"**"*get in touch with our*"**"*quickly inform*"**"*quickly reach*"**"*detected unusual transactions**"*without your authorization*"**"*cancel*"**"*renew*"**"*refund*"**"*+1*"*\"help.{0,3}desk*"* your funds*"**"* your checking*"**"* your saving*"**"*transfer*"**"*secure your account*"**"*recover your *"*
- body.current_thread.text matches 'note from.{0,50}(?:call|reach|contact|paypal)'
any of
ml.nlu_classifier(body.current_thread.text).intentswhere:- .name is 'callback_scam'
- body.html.inner_text matches '\\+𝟭|𝗽𝗮𝘆𝗺𝗲𝗻𝘁|𝗛𝗲𝗹𝗽 𝗗𝗲𝘀𝗸|𝗿𝗲𝗳𝘂𝗻𝗱|𝗮𝗻𝘁𝗶𝘃𝗶𝗿𝘂𝘀|𝗰𝗮𝗹𝗹|𝗰𝗮𝗻𝗰𝗲𝗹'
- body.html.inner_text matches '*"*kindly*"*'
Inspects: body.current_thread.text, body.html.display_text, body.html.inner_text, sender.email.domain.root_domain, subject.subject, type.inbound. Sensors: ml.nlu_classifier, regex.icontains, strings.ilike, strings.replace_confusables.
Indicators matched (58)
| Field | Match | Value |
|---|---|---|
sender.email.domain.root_domain | member | zellepay.com |
strings.ilike | substring | * requested* |
regex.icontains | regex | .*\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}.* |
regex.icontains | regex | .*\+[ilo0-9]{1,3}[ilo0-9]{10}.* |
regex.icontains | regex | .*[ilo0-9]{3}\.[ilo0-9]{3}\.[ilo0-9]{4}.* |
regex.icontains | regex | .*[ilo0-9]{3}-[ilo0-9]{3}-[ilo0-9]{4}.* |
regex.icontains | regex | .*\([ilo0-9]{3}\)[\s-]+[ilo0-9]{3}[\s-]+[ilo0-9]{4}.* |
regex.icontains | regex | .*\([ilo0-9]{3}\)-[ilo0-9]{3}-[ilo0-9]{4}.* |
regex.icontains | regex | .*8[ilo0-9]{9}.* |
regex.icontains | regex | \+[1li] |
regex.icontains | regex | \".*\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}.*\" |
regex.icontains | regex | \".*\+[ilo0-9]{1,3}[ilo0-9]{10}.*\" |
46 more
regex.icontains | regex | \".*[ilo0-9]{3}\.[ilo0-9]{3}\.[ilo0-9]{4}.*\" |
regex.icontains | regex | \".*[ilo0-9]{3}-[ilo0-9]{3}-[ilo0-9]{4}.*\" |
regex.icontains | regex | \".*\([ilo0-9]{3}\)\s[ilo0-9]{3}-[ilo0-9]{4}.*\" |
regex.icontains | regex | \".*\([ilo0-9]{3}\)-[ilo0-9]{3}-[ilo0-9]{4}.*\" |
regex.icontains | regex | \".*8[ilo0-9]{9}.*\" |
regex.icontains | regex | \".*\+[1li].*\" |
strings.ilike | substring | *"*you did not*"* |
strings.ilike | substring | *"*is not for*"* |
strings.ilike | substring | *"*done by you*"* |
regex.icontains | regex | \".*didn\'t ma[kd]e this.*\" |
strings.ilike | substring | *"*Fruad Alert*"* |
strings.ilike | substring | *"*Fraud Alert*"* |
strings.ilike | substring | *"*fraudulent*"* |
strings.ilike | substring | *"*Zelle*"* |
strings.ilike | substring | *"*subscription*"* |
strings.ilike | substring | *"*antivirus*"* |
strings.ilike | substring | *"*order*"* |
strings.ilike | substring | *"*support*"* |
strings.ilike | substring | *"*sincerely apologize*"* |
strings.ilike | substring | *"*receipt*"* |
strings.ilike | substring | *"*invoice*"* |
strings.ilike | substring | *"*Purchase*"* |
strings.ilike | substring | *"*transaction*"* |
strings.ilike | substring | *"*Market*Value*"* |
strings.ilike | substring | *"*BTC*"* |
strings.ilike | substring | *"*call*"* |
strings.ilike | substring | *"*get in touch with our*"* |
strings.ilike | substring | *"*quickly inform*"* |
strings.ilike | substring | *"*quickly reach*"* |
strings.ilike | substring | *"*detected unusual transactions* |
strings.ilike | substring | *"*without your authorization*"* |
strings.ilike | substring | *"*cancel*"* |
strings.ilike | substring | *"*renew*"* |
strings.ilike | substring | *"*refund*"* |
strings.ilike | substring | *"*+1*"* |
regex.icontains | regex | \"help.{0,3}desk |
strings.ilike | substring | *"* your funds*"* |
strings.ilike | substring | *"* your checking*"* |
strings.ilike | substring | *"* your saving*"* |
strings.ilike | substring | *"*transfer*"* |
strings.ilike | substring | *"*secure your account*"* |
strings.ilike | substring | *"*recover your *"* |
regex.icontains | regex | note from.{0,50}(?:call|reach|contact|paypal) |
ml.nlu_classifier(body.current_thread.text).intents[].name | equals | callback_scam |
regex.icontains | regex | \+𝟭|𝗽𝗮𝘆𝗺𝗲𝗻𝘁|𝗛𝗲𝗹𝗽 𝗗𝗲𝘀𝗸|𝗿𝗲𝗳𝘂𝗻𝗱|𝗮𝗻𝘁𝗶𝘃𝗶𝗿𝘂𝘀|𝗰𝗮𝗹𝗹|𝗰𝗮𝗻𝗰𝗲𝗹 |
strings.ilike | substring | *"*kindly*"* |