← Back to Explore
sublimemediumRule
Callback phishing: Social Security Administration fraud
Detects phishing attempts that impersonate the Social Security Administration, using a single PDF attachment containing specific fraud-related language and a callback number.
Detection Query
type.inbound
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
// single attachment
and length(attachments) == 1
// sender is freemail
and sender.email.domain.root_domain in $free_email_providers
// the attachment is a pdf with 1 page, and at least 60 ocr chars
and any(attachments,
.file_extension == "pdf"
and any(file.explode(.), .scan.exiftool.page_count == 1)
and any(file.explode(.), length(.scan.ocr.raw) > 60)
// 4 of the following strings are found
and (
any(file.explode(.),
4 of (
strings.icontains(.scan.ocr.raw, "fraudulent activity"),
strings.icontains(.scan.ocr.raw, "Social Security Number"),
strings.icontains(.scan.ocr.raw, "SSN"),
strings.icontains(.scan.ocr.raw, "stolen"),
strings.icontains(.scan.ocr.raw, "illicit activities"),
strings.icontains(.scan.ocr.raw,
"Social Security Administration"
),
strings.icontains(.scan.ocr.raw, "if you are innocent"),
strings.icontains(.scan.ocr.raw, "help line"),
strings.icontains(.scan.ocr.raw, "Department of Justice"),
strings.icontains(.scan.ocr.raw, "innocent"),
regex.icontains(.scan.ocr.raw, '\$\d{3}\.\d{2}\b')
and (
regex.contains(.scan.ocr.raw,
'(\+\d|1.(\()?\d{3}(\))?\D\d{3}\D\d{4})'
)
or regex.contains(.scan.ocr.raw,
'\+?(\d{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}\d{3}[\s\.\-⋅]{0,5}\d{4}'
)
)
)
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Callback phishing: Social Security Administration fraud"
description: "Detects phishing attempts that impersonate the Social Security Administration, using a single PDF attachment containing specific fraud-related language and a callback number."
type: "rule"
severity: "medium"
source: |
type.inbound
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
// single attachment
and length(attachments) == 1
// sender is freemail
and sender.email.domain.root_domain in $free_email_providers
// the attachment is a pdf with 1 page, and at least 60 ocr chars
and any(attachments,
.file_extension == "pdf"
and any(file.explode(.), .scan.exiftool.page_count == 1)
and any(file.explode(.), length(.scan.ocr.raw) > 60)
// 4 of the following strings are found
and (
any(file.explode(.),
4 of (
strings.icontains(.scan.ocr.raw, "fraudulent activity"),
strings.icontains(.scan.ocr.raw, "Social Security Number"),
strings.icontains(.scan.ocr.raw, "SSN"),
strings.icontains(.scan.ocr.raw, "stolen"),
strings.icontains(.scan.ocr.raw, "illicit activities"),
strings.icontains(.scan.ocr.raw,
"Social Security Administration"
),
strings.icontains(.scan.ocr.raw, "if you are innocent"),
strings.icontains(.scan.ocr.raw, "help line"),
strings.icontains(.scan.ocr.raw, "Department of Justice"),
strings.icontains(.scan.ocr.raw, "innocent"),
regex.icontains(.scan.ocr.raw, '\$\d{3}\.\d{2}\b')
and (
regex.contains(.scan.ocr.raw,
'(\+\d|1.(\()?\d{3}(\))?\D\d{3}\D\d{4})'
)
or regex.contains(.scan.ocr.raw,
'\+?(\d{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}\d{3}[\s\.\-⋅]{0,5}\d{4}'
)
)
)
)
)
)
attack_types:
- "Callback Phishing"
tactics_and_techniques:
- "Evasion"
- "Free email provider"
- "Out of band pivot"
- "PDF"
- "Social engineering"
detection_methods:
- "Exif analysis"
- "File analysis"
- "Optical Character Recognition"
- "Sender analysis"
id: "a9049d52-3611-5b16-8b7c-38cdb639f692"