← Back to Explore
sublimemediumRule
Service abuse: Payoneer callback scam
A fraudulent invoice/receipt found in the body of the message sent by leveraging Payoneer's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.
Detection Query
type.inbound
and length(attachments) == 0
and sender.email.domain.root_domain in ("payoneer.com")
and (
(
// icontains a phone number
(
regex.icontains(strings.replace_confusables(body.current_thread.text),
'.*\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}.*\n'
)
or regex.icontains(strings.replace_confusables(body.current_thread.text),
'.*\+[ilo0-9]{1,3}[ilo0-9]{10}.*\n'
)
or // +12028001238
regex.icontains(strings.replace_confusables(body.current_thread.text),
'.*[ilo0-9]{3}\.[ilo0-9]{3}\.[ilo0-9]{4}.*\n'
)
or // 202-800-1238
regex.icontains(strings.replace_confusables(body.current_thread.text),
'.*[ilo0-9]{3}-[ilo0-9]{3}-[ilo0-9]{4}.*\n'
)
or // (202) 800-1238
regex.icontains(strings.replace_confusables(body.current_thread.text),
'.*\([ilo0-9]{3}\)[\s-]+[ilo0-9]{3}[\s-]+[ilo0-9]{4}.*\n'
)
or // (202)-800-1238
regex.icontains(strings.replace_confusables(body.current_thread.text),
'.*\([ilo0-9]{3}\)-[ilo0-9]{3}-[ilo0-9]{4}.*\n'
)
or ( // 8123456789
regex.icontains(strings.replace_confusables(body.current_thread.text),
'.*8[ilo0-9]{9}.*\n'
)
and regex.icontains(strings.replace_confusables(body.current_thread.text
),
'\+[1l]'
)
)
)
and (
(
// list of keywords taken from
// https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/paypal_invoice_abuse.yml
4 of (
strings.ilike(body.html.inner_text, '*you did not*'),
strings.ilike(body.html.inner_text, '*is not for*'),
strings.ilike(body.html.inner_text, '*done by you*'),
regex.icontains(body.html.inner_text, "didn\'t ma[kd]e this"),
strings.ilike(body.html.inner_text, "*Fruad Alert*"),
strings.ilike(body.html.inner_text, "*Fraud Alert*"),
strings.ilike(body.html.inner_text, '*using your PayPal*'),
strings.ilike(body.html.inner_text, '*subscription*'),
strings.ilike(body.html.inner_text, '*antivirus*'),
strings.ilike(body.html.inner_text, '*order*'),
strings.ilike(body.html.inner_text, '*support*'),
strings.ilike(body.html.inner_text, '*receipt*'),
strings.ilike(body.html.inner_text, '*invoice*'),
strings.ilike(body.html.inner_text, '*Purchase*'),
strings.ilike(body.html.inner_text, '*transaction*'),
strings.ilike(body.html.inner_text, '*Market*Value*'),
strings.ilike(body.html.inner_text, '*BTC*'),
strings.ilike(body.html.inner_text, '*call*'),
strings.ilike(body.html.inner_text, '*get in touch with our*'),
strings.ilike(body.html.inner_text, '*quickly inform*'),
strings.ilike(body.html.inner_text, '*quickly reach *'),
strings.ilike(body.html.inner_text, '*detected unusual transactions*'),
strings.ilike(body.html.inner_text, '*cancel*'),
strings.ilike(body.html.inner_text, '*renew*'),
strings.ilike(body.html.inner_text, '*refund*'),
strings.ilike(body.html.inner_text, '*+1*'),
regex.icontains(body.html.inner_text, 'help.{0,3}desk'),
)
)
)
)
or (
// Unicode confusables words obfuscated in note
regex.icontains(body.html.inner_text,
'\+𝟭|𝗽𝗮𝘆𝗺𝗲𝗻𝘁|𝗛𝗲𝗹𝗽 𝗗𝗲𝘀𝗸|𝗿𝗲𝗳𝘂𝗻𝗱|𝗮𝗻𝘁𝗶𝘃𝗶𝗿𝘂𝘀|𝗰𝗮𝗹𝗹|𝗰𝗮𝗻𝗰𝗲𝗹'
)
)
or strings.ilike(body.html.inner_text, '*kindly*')
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Service abuse: Payoneer callback scam"
description: "A fraudulent invoice/receipt found in the body of the message sent by leveraging Payoneer's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment."
type: "rule"
severity: "medium"
source: |
type.inbound
and length(attachments) == 0
and sender.email.domain.root_domain in ("payoneer.com")
and (
(
// icontains a phone number
(
regex.icontains(strings.replace_confusables(body.current_thread.text),
'.*\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}.*\n'
)
or regex.icontains(strings.replace_confusables(body.current_thread.text),
'.*\+[ilo0-9]{1,3}[ilo0-9]{10}.*\n'
)
or // +12028001238
regex.icontains(strings.replace_confusables(body.current_thread.text),
'.*[ilo0-9]{3}\.[ilo0-9]{3}\.[ilo0-9]{4}.*\n'
)
or // 202-800-1238
regex.icontains(strings.replace_confusables(body.current_thread.text),
'.*[ilo0-9]{3}-[ilo0-9]{3}-[ilo0-9]{4}.*\n'
)
or // (202) 800-1238
regex.icontains(strings.replace_confusables(body.current_thread.text),
'.*\([ilo0-9]{3}\)[\s-]+[ilo0-9]{3}[\s-]+[ilo0-9]{4}.*\n'
)
or // (202)-800-1238
regex.icontains(strings.replace_confusables(body.current_thread.text),
'.*\([ilo0-9]{3}\)-[ilo0-9]{3}-[ilo0-9]{4}.*\n'
)
or ( // 8123456789
regex.icontains(strings.replace_confusables(body.current_thread.text),
'.*8[ilo0-9]{9}.*\n'
)
and regex.icontains(strings.replace_confusables(body.current_thread.text
),
'\+[1l]'
)
)
)
and (
(
// list of keywords taken from
// https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/paypal_invoice_abuse.yml
4 of (
strings.ilike(body.html.inner_text, '*you did not*'),
strings.ilike(body.html.inner_text, '*is not for*'),
strings.ilike(body.html.inner_text, '*done by you*'),
regex.icontains(body.html.inner_text, "didn\'t ma[kd]e this"),
strings.ilike(body.html.inner_text, "*Fruad Alert*"),
strings.ilike(body.html.inner_text, "*Fraud Alert*"),
strings.ilike(body.html.inner_text, '*using your PayPal*'),
strings.ilike(body.html.inner_text, '*subscription*'),
strings.ilike(body.html.inner_text, '*antivirus*'),
strings.ilike(body.html.inner_text, '*order*'),
strings.ilike(body.html.inner_text, '*support*'),
strings.ilike(body.html.inner_text, '*receipt*'),
strings.ilike(body.html.inner_text, '*invoice*'),
strings.ilike(body.html.inner_text, '*Purchase*'),
strings.ilike(body.html.inner_text, '*transaction*'),
strings.ilike(body.html.inner_text, '*Market*Value*'),
strings.ilike(body.html.inner_text, '*BTC*'),
strings.ilike(body.html.inner_text, '*call*'),
strings.ilike(body.html.inner_text, '*get in touch with our*'),
strings.ilike(body.html.inner_text, '*quickly inform*'),
strings.ilike(body.html.inner_text, '*quickly reach *'),
strings.ilike(body.html.inner_text, '*detected unusual transactions*'),
strings.ilike(body.html.inner_text, '*cancel*'),
strings.ilike(body.html.inner_text, '*renew*'),
strings.ilike(body.html.inner_text, '*refund*'),
strings.ilike(body.html.inner_text, '*+1*'),
regex.icontains(body.html.inner_text, 'help.{0,3}desk'),
)
)
)
)
or (
// Unicode confusables words obfuscated in note
regex.icontains(body.html.inner_text,
'\+𝟭|𝗽𝗮𝘆𝗺𝗲𝗻𝘁|𝗛𝗲𝗹𝗽 𝗗𝗲𝘀𝗸|𝗿𝗲𝗳𝘂𝗻𝗱|𝗮𝗻𝘁𝗶𝘃𝗶𝗿𝘂𝘀|𝗰𝗮𝗹𝗹|𝗰𝗮𝗻𝗰𝗲𝗹'
)
)
or strings.ilike(body.html.inner_text, '*kindly*')
)
attack_types:
- "Callback Phishing"
- "BEC/Fraud"
tactics_and_techniques:
- "Evasion"
- "Social engineering"
detection_methods:
- "Sender analysis"
- "Header analysis"
- "Content analysis"
id: "b7fb174c-c5a0-567a-8090-6ca142d94562"