← Back to Explore
sublimehighRule
Callback phishing via extensionless rfc822 attachment
This rule detects messages with an unknown file_type (extensionless) and a content_type of 'message/rfc822' containing an image file with Callback Phishing indicators.
Detection Query
type.inbound
and any(attachments,
.file_type == "unknown"
and (.content_type == "message/rfc822" or .file_extension in ('eml'))
and any(file.explode(.),
strings.starts_with(.flavors.mime, "image")
// and Image contains callback phishing indicators
and 4 of (
strings.icontains(.scan.ocr.raw, "purchase"),
strings.icontains(.scan.ocr.raw, "subscription"),
strings.icontains(.scan.ocr.raw, "antivirus"),
strings.icontains(.scan.ocr.raw, "order"),
strings.icontains(.scan.ocr.raw, "support"),
strings.icontains(.scan.ocr.raw, "receipt"),
strings.icontains(.scan.ocr.raw, "amount"),
strings.icontains(.scan.ocr.raw, "charged"),
strings.icontains(.scan.ocr.raw, "invoice"),
strings.icontains(.scan.ocr.raw, "call"),
strings.icontains(.scan.ocr.raw, "cancel"),
strings.icontains(.scan.ocr.raw, "renew"),
strings.icontains(.scan.ocr.raw, "refund"),
strings.icontains(.scan.ocr.raw, "+1")
)
)
and any(file.explode(.),
strings.ilike(.scan.ocr.raw,
"*geek*squad*",
"*lifelock*",
"*best buy*",
"*mcafee*",
"*norton*",
"*ebay*",
"*paypal*",
"*secure anywhere*"
)
or any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name in ("callback_scam")
and .confidence == "high"
and length(body.current_thread.text) < 1500
)
)
)
and (
not profile.by_sender().solicited
and not profile.by_sender().any_messages_benign
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Callback phishing via extensionless rfc822 attachment"
description: "This rule detects messages with an unknown file_type (extensionless) and a content_type of 'message/rfc822' containing an image file with Callback Phishing indicators."
type: "rule"
severity: "high"
source: |
type.inbound
and any(attachments,
.file_type == "unknown"
and (.content_type == "message/rfc822" or .file_extension in ('eml'))
and any(file.explode(.),
strings.starts_with(.flavors.mime, "image")
// and Image contains callback phishing indicators
and 4 of (
strings.icontains(.scan.ocr.raw, "purchase"),
strings.icontains(.scan.ocr.raw, "subscription"),
strings.icontains(.scan.ocr.raw, "antivirus"),
strings.icontains(.scan.ocr.raw, "order"),
strings.icontains(.scan.ocr.raw, "support"),
strings.icontains(.scan.ocr.raw, "receipt"),
strings.icontains(.scan.ocr.raw, "amount"),
strings.icontains(.scan.ocr.raw, "charged"),
strings.icontains(.scan.ocr.raw, "invoice"),
strings.icontains(.scan.ocr.raw, "call"),
strings.icontains(.scan.ocr.raw, "cancel"),
strings.icontains(.scan.ocr.raw, "renew"),
strings.icontains(.scan.ocr.raw, "refund"),
strings.icontains(.scan.ocr.raw, "+1")
)
)
and any(file.explode(.),
strings.ilike(.scan.ocr.raw,
"*geek*squad*",
"*lifelock*",
"*best buy*",
"*mcafee*",
"*norton*",
"*ebay*",
"*paypal*",
"*secure anywhere*"
)
or any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name in ("callback_scam")
and .confidence == "high"
and length(body.current_thread.text) < 1500
)
)
)
and (
not profile.by_sender().solicited
and not profile.by_sender().any_messages_benign
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
attack_types:
- "Callback Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "File analysis"
- "Natural Language Understanding"
- "Optical Character Recognition"
- "Sender analysis"
id: "197722c4-a22a-5c36-85d0-085f4b11c44e"