Detection rules › Sublime MQL
Callback phishing via Zoho service abuse
Callback phishing campaigns have been observed abusing Zoho Invoice services to send fraudulent invoices with callback phishing contents.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Callback Phishing |
| Tactics and techniques | Evasion, Free email provider, Impersonation: Brand, Social engineering |
Event coverage
Rule body MQL
type.inbound
// Legitimate Zoho sending infratructure
and (
sender.email.domain.root_domain in ('zohoinvoice.com')
// check for SPF or DMARC passed
and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
)
and (
// Callback Phishing in body (brand names required)
(
length(attachments) == 0
// brand names are required.
and regex.icontains(body.current_thread.text,
(
"mcafee|norton|geek.{0,5}squad|paypal|ebay|symantec|best buy|lifelock"
)
)
and 3 of (
strings.ilike(body.current_thread.text, '*purchase*'),
strings.ilike(body.current_thread.text, '*payment*'),
strings.ilike(body.current_thread.text, '*transaction*'),
strings.ilike(body.current_thread.text, '*subscription*'),
strings.ilike(body.current_thread.text, '*antivirus*'),
strings.ilike(body.current_thread.text, '*order*'),
strings.ilike(body.current_thread.text, '*support*'),
strings.ilike(body.current_thread.text, '*help line*'),
strings.ilike(body.current_thread.text, '*receipt*'),
strings.ilike(body.current_thread.text, '*invoice*'),
strings.ilike(body.current_thread.text, '*call*'),
strings.ilike(body.current_thread.text, '*cancel*'),
strings.ilike(body.current_thread.text, '*renew*'),
strings.ilike(body.current_thread.text, '*refund*')
)
// phone number regex
and any([body.current_thread.text, subject.subject],
regex.icontains(., '\b\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}\b')
)
)
// all attachments are PDFs with callback phishing indicators Brands Required
or (
length(attachments) < 3
and all(attachments, .file_extension == "pdf")
// the attachment is a pdf with 1 page, and at least 60 ocr chars
and any(attachments,
(
.file_extension == "pdf"
and any(file.explode(.), .scan.exiftool.page_count < 3)
and any(file.explode(.), length(.scan.ocr.raw) > 60)
// 4 of the following strings are found
and (
any(file.explode(.),
4 of (
strings.icontains(.scan.ocr.raw, "purchase"),
strings.icontains(.scan.ocr.raw, "payment"),
strings.icontains(.scan.ocr.raw, "transaction"),
strings.icontains(.scan.ocr.raw, "subscription"),
strings.icontains(.scan.ocr.raw, "antivirus"),
strings.icontains(.scan.ocr.raw, "order"),
strings.icontains(.scan.ocr.raw, "support"),
strings.icontains(.scan.ocr.raw, "help line"),
strings.icontains(.scan.ocr.raw, "receipt"),
strings.icontains(.scan.ocr.raw, "invoice"),
strings.icontains(.scan.ocr.raw, "call"),
strings.icontains(.scan.ocr.raw, "helpdesk"),
strings.icontains(.scan.ocr.raw, "cancel"),
strings.icontains(.scan.ocr.raw, "renew"),
strings.icontains(.scan.ocr.raw, "refund"),
strings.icontains(.scan.ocr.raw, "amount"),
strings.icontains(.scan.ocr.raw, "crypto"),
strings.icontains(.scan.ocr.raw, "wallet address"),
regex.icontains(.scan.ocr.raw, '\$\d{3}\.\d{2}\b'),
regex.icontains(.scan.ocr.raw,
'(\+\d|1.(\()?\d{3}(\))?\D\d{3}\D\d{4})'
),
regex.icontains(.scan.ocr.raw,
'\+?(\d{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}\d{3}[\s\.\-⋅]{0,5}\d{4}'
)
)
// 1 of the following strings is found, representing common Callback brands
and (
1 of (
strings.icontains(.scan.ocr.raw, "geek squad"),
strings.icontains(.scan.ocr.raw, "lifelock"),
strings.icontains(.scan.ocr.raw, "best buy"),
strings.icontains(.scan.ocr.raw, "mcafee"),
strings.icontains(.scan.ocr.raw, "norton"),
strings.icontains(.scan.ocr.raw, "ebay"),
strings.icontains(.scan.ocr.raw, "paypal"),
)
// add additional logic for common language for paypal, which is a valid payment method
and not regex.icontains(.scan.ocr.raw,
"paypal[^\n]+accepted"
)
and not regex.icontains(.scan.ocr.raw,
"payment.{0,30}(via|by) paypal"
)
and not regex.icontains(.scan.ocr.raw,
'\d{2,4} norton'
) // an address, example: 1234 Norton Road
)
)
or any(ml.logo_detect(.).brands,
.name in ("PayPal", "Norton", "GeekSquad", "Ebay")
)
)
)
)
)
)
Detection logic
Scope: inbound message.
Callback phishing campaigns have been observed abusing Zoho Invoice services to send fraudulent invoices with callback phishing contents.
- inbound message
all of:
- sender.email.domain.root_domain in ('zohoinvoice.com')
any of:
- headers.auth_summary.spf.pass
- headers.auth_summary.dmarc.pass
any of:
all of:
- length(attachments) is 0
- body.current_thread.text matches 'mcafee|norton|geek.{0,5}squad|paypal|ebay|symantec|best buy|lifelock'
at least 3 of 14: body.current_thread.text matches any of 14 patterns
*purchase**payment**transaction**subscription**antivirus**order**support**help line**receipt**invoice**call**cancel**renew**refund*
any of
[body.current_thread.text, subject.subject]where:- . matches '\\b\\+?(\\d{1}.)?\\(?\\d{3}?\\)?.\\d{3}.?\\d{4}\\b'
all of:
- length(attachments) < 3
all of
attachmentswhere:- .file_extension is 'pdf'
any of
attachmentswhere all hold:- .file_extension is 'pdf'
any of
file.explode(.)where:- .scan.exiftool.page_count < 3
any of
file.explode(.)where:- length(.scan.ocr.raw) > 60
any of:
any of
file.explode(.)where all hold:at least 4 of:
- .scan.ocr.raw contains 'purchase'
- .scan.ocr.raw contains 'payment'
- .scan.ocr.raw contains 'transaction'
- .scan.ocr.raw contains 'subscription'
- .scan.ocr.raw contains 'antivirus'
- .scan.ocr.raw contains 'order'
- .scan.ocr.raw contains 'support'
- .scan.ocr.raw contains 'help line'
- .scan.ocr.raw contains 'receipt'
- .scan.ocr.raw contains 'invoice'
- .scan.ocr.raw contains 'call'
- .scan.ocr.raw contains 'helpdesk'
- .scan.ocr.raw contains 'cancel'
- .scan.ocr.raw contains 'renew'
- .scan.ocr.raw contains 'refund'
- .scan.ocr.raw contains 'amount'
- .scan.ocr.raw contains 'crypto'
- .scan.ocr.raw contains 'wallet address'
- .scan.ocr.raw matches '\\$\\d{3}\\.\\d{2}\\b'
- .scan.ocr.raw matches '(\\+\\d|1.(\\()?\\d{3}(\\))?\\D\\d{3}\\D\\d{4})'
- .scan.ocr.raw matches '\\+?(\\d{1,2})?\\s?\\(?\\d{3}\\)?[\\s\\.\\-⋅]{0,5}\\d{3}[\\s\\.\\-⋅]{0,5}\\d{4}'
all of:
at least 1 of 7: .scan.ocr.raw contains any of 7 patterns
geek squadlifelockbest buymcafeenortonebaypaypal
not:
- .scan.ocr.raw matches 'paypal[^\\n]+accepted'
not:
- .scan.ocr.raw matches 'payment.{0,30}(via|by) paypal'
not:
- .scan.ocr.raw matches '\\d{2,4} norton'
any of
ml.logo_detect(.).brandswhere:- .name in ('PayPal', 'Norton', 'GeekSquad', 'Ebay')
Inspects: attachments[].file_extension, body.current_thread.text, headers.auth_summary.dmarc.pass, headers.auth_summary.spf.pass, sender.email.domain.root_domain, subject.subject, type.inbound. Sensors: file.explode, ml.logo_detect, regex.icontains, strings.icontains, strings.ilike.
Indicators matched (53)
| Field | Match | Value |
|---|---|---|
sender.email.domain.root_domain | member | zohoinvoice.com |
regex.icontains | regex | mcafee|norton|geek.{0,5}squad|paypal|ebay|symantec|best buy|lifelock |
strings.ilike | substring | *purchase* |
strings.ilike | substring | *payment* |
strings.ilike | substring | *transaction* |
strings.ilike | substring | *subscription* |
strings.ilike | substring | *antivirus* |
strings.ilike | substring | *order* |
strings.ilike | substring | *support* |
strings.ilike | substring | *help line* |
strings.ilike | substring | *receipt* |
strings.ilike | substring | *invoice* |
41 more
strings.ilike | substring | *call* |
strings.ilike | substring | *cancel* |
strings.ilike | substring | *renew* |
strings.ilike | substring | *refund* |
regex.icontains | regex | \b\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}\b |
attachments[].file_extension | equals | pdf |
strings.icontains | substring | purchase |
strings.icontains | substring | payment |
strings.icontains | substring | transaction |
strings.icontains | substring | subscription |
strings.icontains | substring | antivirus |
strings.icontains | substring | order |
strings.icontains | substring | support |
strings.icontains | substring | help line |
strings.icontains | substring | receipt |
strings.icontains | substring | invoice |
strings.icontains | substring | call |
strings.icontains | substring | helpdesk |
strings.icontains | substring | cancel |
strings.icontains | substring | renew |
strings.icontains | substring | refund |
strings.icontains | substring | amount |
strings.icontains | substring | crypto |
strings.icontains | substring | wallet address |
regex.icontains | regex | \$\d{3}\.\d{2}\b |
regex.icontains | regex | (\+\d|1.(\()?\d{3}(\))?\D\d{3}\D\d{4}) |
regex.icontains | regex | \+?(\d{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}\d{3}[\s\.\-⋅]{0,5}\d{4} |
strings.icontains | substring | geek squad |
strings.icontains | substring | lifelock |
strings.icontains | substring | best buy |
strings.icontains | substring | mcafee |
strings.icontains | substring | norton |
strings.icontains | substring | ebay |
strings.icontains | substring | paypal |
regex.icontains | regex | paypal[^\n]+accepted |
regex.icontains | regex | payment.{0,30}(via|by) paypal |
regex.icontains | regex | \d{2,4} norton |
ml.logo_detect(attachments[]).brands[].name | member | PayPal |
ml.logo_detect(attachments[]).brands[].name | member | Norton |
ml.logo_detect(attachments[]).brands[].name | member | GeekSquad |
ml.logo_detect(attachments[]).brands[].name | member | Ebay |