EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Callback phishing: Branded invoice from sender/reply-to domain less than 30 days old

This rule checks for invoicing content from a sender, reply-to domain or return-path domain less than 30d old. It also checks the body or the OCR'd screenshot for key words commonly abused in fraudulent invoicing attacks.

MITRE ATT&CK

T1566.003T1598T1566.002T1598.003T1566
initial-access

Detection Query

type.inbound
// reply to domain that's less than 30d old and doesn't match the sender
and (
  (
    length(headers.reply_to) > 0
    and all(headers.reply_to,
            network.whois(.email.domain).days_old <= 30
            and .email.email != sender.email.email
    )
  )

  // or the return path or sender domain is less than 30d old 
  or network.whois(headers.return_path.domain).days_old <= 30
  or network.whois(sender.email.domain).days_old <= 30
)

// invoicing with high confidence
and any(ml.nlu_classifier(body.current_thread.text).tags,
        .name == "invoice" and .confidence == "high"
)

// commonly abused brands in body
and (
  strings.ilike(body.current_thread.text,
                "*mcafee*",
                "*norton*",
                "*geek squad*",
                "*paypal*",
                "*ebay*",
                "*symantec*",
                "*best buy*",
                "*lifelock*",
                "*virus*"
  )

  // commonly abused brand logo
  or any(ml.logo_detect(file.message_screenshot()).brands,
         .name in ("PayPal", "Norton", "GeekSquad", "Ebay")
  )

  // check message screenshot ocr for commonly abused brands
  //
  // This rule makes use of a beta feature and is subject to change without notice
  // using the beta feature in custom rules is not suggested until it has been formally released
  //    
  or 1 of (
    strings.icontains(beta.ocr(file.message_screenshot()).text, "geek squad"),
    strings.icontains(beta.ocr(file.message_screenshot()).text, "lifelock"),
    strings.icontains(beta.ocr(file.message_screenshot()).text, "best buy"),
    strings.icontains(beta.ocr(file.message_screenshot()).text, "mcafee"),
    strings.icontains(beta.ocr(file.message_screenshot()).text, "norton"),
    strings.icontains(beta.ocr(file.message_screenshot()).text, "ebay"),
    strings.icontains(beta.ocr(file.message_screenshot()).text, "paypal"),
    strings.icontains(beta.ocr(file.message_screenshot()).text, "virus"),
  )
)

// phone number regex
and regex.icontains(body.current_thread.text,
                    '\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}'
)
and not profile.by_sender().solicited
and not profile.by_sender().any_messages_benign

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Callback phishing: Branded invoice from sender/reply-to domain less than 30 days old"
description: "This rule checks for invoicing content from a sender, reply-to domain or return-path domain less than 30d old. It also checks the body or the OCR'd screenshot for key words commonly abused in fraudulent invoicing attacks. "
type: "rule"
severity: "medium"
source: |
  type.inbound
  // reply to domain that's less than 30d old and doesn't match the sender
  and (
    (
      length(headers.reply_to) > 0
      and all(headers.reply_to,
              network.whois(.email.domain).days_old <= 30
              and .email.email != sender.email.email
      )
    )
  
    // or the return path or sender domain is less than 30d old 
    or network.whois(headers.return_path.domain).days_old <= 30
    or network.whois(sender.email.domain).days_old <= 30
  )
  
  // invoicing with high confidence
  and any(ml.nlu_classifier(body.current_thread.text).tags,
          .name == "invoice" and .confidence == "high"
  )
  
  // commonly abused brands in body
  and (
    strings.ilike(body.current_thread.text,
                  "*mcafee*",
                  "*norton*",
                  "*geek squad*",
                  "*paypal*",
                  "*ebay*",
                  "*symantec*",
                  "*best buy*",
                  "*lifelock*",
                  "*virus*"
    )
  
    // commonly abused brand logo
    or any(ml.logo_detect(file.message_screenshot()).brands,
           .name in ("PayPal", "Norton", "GeekSquad", "Ebay")
    )
  
    // check message screenshot ocr for commonly abused brands
    //
    // This rule makes use of a beta feature and is subject to change without notice
    // using the beta feature in custom rules is not suggested until it has been formally released
    //    
    or 1 of (
      strings.icontains(beta.ocr(file.message_screenshot()).text, "geek squad"),
      strings.icontains(beta.ocr(file.message_screenshot()).text, "lifelock"),
      strings.icontains(beta.ocr(file.message_screenshot()).text, "best buy"),
      strings.icontains(beta.ocr(file.message_screenshot()).text, "mcafee"),
      strings.icontains(beta.ocr(file.message_screenshot()).text, "norton"),
      strings.icontains(beta.ocr(file.message_screenshot()).text, "ebay"),
      strings.icontains(beta.ocr(file.message_screenshot()).text, "paypal"),
      strings.icontains(beta.ocr(file.message_screenshot()).text, "virus"),
    )
  )
  
  // phone number regex
  and regex.icontains(body.current_thread.text,
                      '\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}'
  )
  and not profile.by_sender().solicited
  and not profile.by_sender().any_messages_benign

attack_types:
  - "Callback Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Out of band pivot"
  - "Social engineering"
detection_methods:
  - "Header analysis"
  - "Natural Language Understanding"
  - "Optical Character Recognition"
  - "Whois"
id: "e6f4af53-dbb6-5917-acee-bfd7d8042c03"