Skip to content

Commit 3df4679

Browse files
[Shared Samples] [PR #4554] added rule: PR# 4554 - Callback phishing in body or attachment (untrusted sender)
1 parent f081b9d commit 3df4679

1 file changed

Lines changed: 139 additions & 0 deletions

File tree

Lines changed: 139 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,139 @@
1+
name: "PR# 4554 - Callback phishing in body or attachment (untrusted sender)"
2+
description: |
3+
Detects callback scams by analyzing text within images of receipts or invoices from untrusted senders.
4+
type: "rule"
5+
severity: "medium"
6+
source: |
7+
type.inbound
8+
and length(attachments) < 5
9+
and (
10+
any(attachments,
11+
(.file_type in $file_types_images or .file_type in ("pdf", "xlsx"))
12+
and (
13+
any(ml.nlu_classifier(beta.ocr(.).text).intents,
14+
.name == "callback_scam" and .confidence in ("medium", "high")
15+
)
16+
or any(file.explode(.),
17+
18+
// exclude images taken with mobile cameras and screenshots from android
19+
not any(.scan.exiftool.fields,
20+
.key == "Model"
21+
or (
22+
.key == "Software"
23+
and strings.starts_with(.value, "Android")
24+
)
25+
or (.key == "UserComment" and .value == "Screenshot")
26+
)
27+
and any(ml.nlu_classifier(.scan.ocr.raw).intents,
28+
.name == "callback_scam"
29+
and .confidence in ("medium", "high")
30+
)
31+
)
32+
)
33+
and (
34+
// negate noreply unless a logo is found in the attachment
35+
(
36+
sender.email.local_part in ("no_reply", "noreply")
37+
and any(ml.logo_detect(.).brands,
38+
.name in ("PayPal", "Norton", "GeekSquad", "Ebay", "McAfee")
39+
)
40+
)
41+
or sender.email.local_part not in ("no_reply", "noreply")
42+
)
43+
)
44+
or (
45+
any(ml.nlu_classifier(body.current_thread.text).intents,
46+
.name in ("callback_scam") and .confidence in ("medium", "high")
47+
)
48+
and (
49+
(
50+
270 < length(body.current_thread.text) < 1750
51+
or (
52+
75 < length(body.current_thread.text) < 2000
53+
and (
54+
strings.ilike(body.current_thread.text,
55+
"*PayPal*",
56+
"*Norton*",
57+
"*Geek Squad*",
58+
"*Ebay*",
59+
"*McAfee*",
60+
"*=1"
61+
)
62+
// phone number regex
63+
or regex.icontains(body.current_thread.text,
64+
'\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
65+
'\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
66+
)
67+
or 1 of (
68+
strings.icontains(beta.ocr(file.message_screenshot()).text,
69+
"geek squad"
70+
),
71+
strings.icontains(beta.ocr(file.message_screenshot()).text,
72+
"lifelock"
73+
),
74+
strings.icontains(beta.ocr(file.message_screenshot()).text,
75+
"best buy"
76+
),
77+
strings.icontains(beta.ocr(file.message_screenshot()).text,
78+
"mcafee"
79+
),
80+
strings.icontains(beta.ocr(file.message_screenshot()).text,
81+
"norton"
82+
),
83+
strings.icontains(beta.ocr(file.message_screenshot()).text,
84+
"ebay"
85+
),
86+
strings.icontains(beta.ocr(file.message_screenshot()).text,
87+
"paypal"
88+
),
89+
strings.icontains(beta.ocr(file.message_screenshot()).text,
90+
"virus"
91+
),
92+
)
93+
)
94+
)
95+
)
96+
)
97+
)
98+
)
99+
and not (
100+
any(headers.domains, .domain == "smtp-out.gcp.bigcommerce.net")
101+
and strings.icontains(body.html.raw, "bigcommerce.com")
102+
)
103+
and (
104+
not profile.by_sender_email().solicited
105+
or (
106+
profile.by_sender_email().any_messages_malicious_or_spam
107+
and not profile.by_sender_email().any_messages_benign
108+
)
109+
)
110+
111+
// negate highly trusted sender domains unless they fail DMARC authentication
112+
and (
113+
(
114+
sender.email.domain.root_domain in $high_trust_sender_root_domains
115+
and not headers.auth_summary.dmarc.pass
116+
)
117+
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
118+
)
119+
// negate opsgenie email notifications
120+
and not sender.email.email == 'opsgenie@opsgenie.net'
121+
122+
attack_types:
123+
- "Callback Phishing"
124+
tactics_and_techniques:
125+
- "Out of band pivot"
126+
- "Social engineering"
127+
detection_methods:
128+
- "Content analysis"
129+
- "File analysis"
130+
- "Optical Character Recognition"
131+
- "Natural Language Understanding"
132+
- "Sender analysis"
133+
id: "717cb60d-1e07-5c02-860c-e1e3c7eac477"
134+
tags:
135+
- created_from_open_prs
136+
- rule_status_modified
137+
- pr_author_cybher0808
138+
references:
139+
- https://github.com/sublime-security/sublime-rules/pull/4554

0 commit comments

Comments
 (0)