← Back to Explore
sublimemediumRule
Callback phishing via Intuit service abuse
Callback phishing campaigns have been observed abusing Intuit Quickbooks services to send fraudulent invoices with callback phishing contents.
Detection Query
type.inbound
// Legitimate Intuit sending infratructure
and (
sender.email.domain.root_domain in ('intuit.com', 'intuit.co.uk')
// check for SPF or DMARC passed
and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
)
and (
// Callback Phishing in body (brand names required)
(
length(attachments) == 0
// brand names are required.
and regex.icontains(strings.replace_confusables(body.current_thread.text),
(
"mcafee|norton|geek.{0,5}squad|paypal|ebay|symantec|best buy|lifelock"
)
)
and 3 of (
strings.ilike(body.current_thread.text, '*purchase*'),
strings.ilike(body.current_thread.text, '*payment*'),
strings.ilike(body.current_thread.text, '*transaction*'),
strings.ilike(body.current_thread.text, '*subscription*'),
strings.ilike(body.current_thread.text, '*antivirus*'),
strings.ilike(body.current_thread.text, '*order*'),
strings.ilike(body.current_thread.text, '*support*'),
strings.ilike(body.current_thread.text, '*help line*'),
strings.ilike(body.current_thread.text, '*receipt*'),
strings.ilike(body.current_thread.text, '*invoice*'),
strings.ilike(body.current_thread.text, '*call*'),
strings.ilike(body.current_thread.text, '*cancel*'),
strings.ilike(body.current_thread.text, '*renew*'),
strings.ilike(body.current_thread.text, '*refund*')
)
// phone number regex
and any([body.current_thread.text, subject.subject],
regex.icontains(., '\b\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}\b')
)
)
// Callback Phishing in the "billtoContent"
or
// icontains a phone number
(
regex.icontains(strings.replace_confusables(body.html.inner_text),
'(?:Sold|Bill)[\s\xa0]To(?:\:\s+|\n)[^\n]+\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}.*\n'
)
or regex.icontains(strings.replace_confusables(body.html.inner_text),
'(?:Sold|Bill)[\s\xa0]To(?:\:\s+|\n)[^\n]+\+\d{1,3}[ilo0-9]{10}.*\n'
)
or // +12028001238
regex.icontains(strings.replace_confusables(body.html.inner_text),
'(?:Sold|Bill)[\s\xa0]To(?:\:\s+|\n)[^\n]+[ilo0-9]{3}\.[ilo0-9]{3}\.[ilo0-9]{4}.*\n'
)
or // 202-800-1238
regex.icontains(strings.replace_confusables(body.html.inner_text),
'(?:Sold|Bill)[\s\xa0]To(?:\:\s+|\n)[^\n]+[ilo0-9]{3}-[ilo0-9]{3}-[ilo0-9]{4}.*\n'
)
or // (202) 800-1238
regex.icontains(strings.replace_confusables(body.html.inner_text),
'(?:Sold|Bill)[\s\xa0]To(?:\:\s+|\n)[^\n]+\([ilo0-9]{3}\)[\s-]+[ilo0-9]{3}[\s-]+[ilo0-9]{4}.*\n'
)
or // (202)-800-1238
regex.icontains(strings.replace_confusables(body.html.inner_text),
'(?:Sold|Bill)[\s\xa0]To(?:\:\s+|\n)[^\n]+\([ilo0-9]{3}\)-[ilo0-9]{3}-[ilo0-9]{4}.*\n'
)
or // 202 800 1238
regex.icontains(strings.replace_confusables(body.html.inner_text),
'(?:Sold|Bill)[\s\xa0]To(?:\:\s+|\n)[^\n]+1\s?[ilo0-9]{3} [ilo0-9]{3} [ilo0-9]{4}.*\n'
) // 8123456789
or (
regex.icontains(strings.replace_confusables(body.html.inner_text),
'(?:Sold|Bill)[\s\xa0]To(?:\:\s+|\n)[^\n]+8\d{9}.*\n'
)
and regex.icontains(strings.replace_confusables(body.html.inner_text),
'\+1'
)
)
)
// all attachments are PDFs with callback phishing indicators Brands Required
or (
length(attachments) < 3
and all(attachments, .file_extension == "pdf")
// the attachment is a pdf with 1 page, and at least 60 ocr chars
and any(attachments,
(
.file_extension == "pdf"
and any(file.explode(.), .scan.exiftool.page_count < 3)
and any(file.explode(.), length(.scan.ocr.raw) > 60)
// 4 of the following strings are found
and (
any(file.explode(.),
4 of (
strings.icontains(.scan.ocr.raw, "purchase"),
strings.icontains(.scan.ocr.raw, "payment"),
strings.icontains(.scan.ocr.raw, "transaction"),
strings.icontains(.scan.ocr.raw, "subscription"),
strings.icontains(.scan.ocr.raw, "antivirus"),
strings.icontains(.scan.ocr.raw, "order"),
strings.icontains(.scan.ocr.raw, "support"),
strings.icontains(.scan.ocr.raw, "help line"),
strings.icontains(.scan.ocr.raw, "receipt"),
strings.icontains(.scan.ocr.raw, "invoice"),
strings.icontains(.scan.ocr.raw, "call"),
strings.icontains(.scan.ocr.raw, "helpdesk"),
strings.icontains(.scan.ocr.raw, "cancel"),
strings.icontains(.scan.ocr.raw, "renew"),
strings.icontains(.scan.ocr.raw, "refund"),
strings.icontains(.scan.ocr.raw, "amount"),
strings.icontains(.scan.ocr.raw, "crypto"),
strings.icontains(.scan.ocr.raw, "wallet address"),
regex.icontains(.scan.ocr.raw, '\$\d{3}\.\d{2}\b'),
regex.icontains(.scan.ocr.raw,
'(\+\d|1.(\()?\d{3}(\))?\D\d{3}\D\d{4})'
),
regex.icontains(.scan.ocr.raw,
'\+?(\d{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}\d{3}[\s\.\-⋅]{0,5}\d{4}'
)
)
// 1 of the following strings is found, representing common Callback brands
and (
1 of (
strings.icontains(.scan.ocr.raw, "geek squad"),
strings.icontains(.scan.ocr.raw, "lifelock"),
strings.icontains(.scan.ocr.raw, "best buy"),
strings.icontains(.scan.ocr.raw, "mcafee"),
strings.icontains(.scan.ocr.raw, "norton"),
strings.icontains(.scan.ocr.raw, "ebay"),
strings.icontains(.scan.ocr.raw, "paypal"),
)
// add additional logic for common language for paypal, which is a valid payment method
and not regex.icontains(.scan.ocr.raw,
"paypal[^\n]+accepted"
)
and not regex.icontains(.scan.ocr.raw,
"pay(ment)?.{0,30}(via|by) paypal"
)
and not regex.icontains(.scan.ocr.raw,
'\d{2,4} norton'
) // an address, example: 1234 Norton Road
and not regex.icontains(.scan.ocr.raw,
'sold on.{0,20}ebay'
) // "cannot be sold on Amazon and EBay", from a legit vendor
)
)
or any(ml.logo_detect(.).brands,
.name in ("PayPal", "Norton", "GeekSquad", "Ebay")
)
)
)
)
)
)
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
and (
not beta.profile.by_reply_to().any_messages_benign
or length(headers.reply_to) == 0
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Callback phishing via Intuit service abuse"
description: "Callback phishing campaigns have been observed abusing Intuit Quickbooks services to send fraudulent invoices with callback phishing contents."
type: "rule"
severity: "medium"
source: |
type.inbound
// Legitimate Intuit sending infratructure
and (
sender.email.domain.root_domain in ('intuit.com', 'intuit.co.uk')
// check for SPF or DMARC passed
and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
)
and (
// Callback Phishing in body (brand names required)
(
length(attachments) == 0
// brand names are required.
and regex.icontains(strings.replace_confusables(body.current_thread.text),
(
"mcafee|norton|geek.{0,5}squad|paypal|ebay|symantec|best buy|lifelock"
)
)
and 3 of (
strings.ilike(body.current_thread.text, '*purchase*'),
strings.ilike(body.current_thread.text, '*payment*'),
strings.ilike(body.current_thread.text, '*transaction*'),
strings.ilike(body.current_thread.text, '*subscription*'),
strings.ilike(body.current_thread.text, '*antivirus*'),
strings.ilike(body.current_thread.text, '*order*'),
strings.ilike(body.current_thread.text, '*support*'),
strings.ilike(body.current_thread.text, '*help line*'),
strings.ilike(body.current_thread.text, '*receipt*'),
strings.ilike(body.current_thread.text, '*invoice*'),
strings.ilike(body.current_thread.text, '*call*'),
strings.ilike(body.current_thread.text, '*cancel*'),
strings.ilike(body.current_thread.text, '*renew*'),
strings.ilike(body.current_thread.text, '*refund*')
)
// phone number regex
and any([body.current_thread.text, subject.subject],
regex.icontains(., '\b\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}\b')
)
)
// Callback Phishing in the "billtoContent"
or
// icontains a phone number
(
regex.icontains(strings.replace_confusables(body.html.inner_text),
'(?:Sold|Bill)[\s\xa0]To(?:\:\s+|\n)[^\n]+\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}.*\n'
)
or regex.icontains(strings.replace_confusables(body.html.inner_text),
'(?:Sold|Bill)[\s\xa0]To(?:\:\s+|\n)[^\n]+\+\d{1,3}[ilo0-9]{10}.*\n'
)
or // +12028001238
regex.icontains(strings.replace_confusables(body.html.inner_text),
'(?:Sold|Bill)[\s\xa0]To(?:\:\s+|\n)[^\n]+[ilo0-9]{3}\.[ilo0-9]{3}\.[ilo0-9]{4}.*\n'
)
or // 202-800-1238
regex.icontains(strings.replace_confusables(body.html.inner_text),
'(?:Sold|Bill)[\s\xa0]To(?:\:\s+|\n)[^\n]+[ilo0-9]{3}-[ilo0-9]{3}-[ilo0-9]{4}.*\n'
)
or // (202) 800-1238
regex.icontains(strings.replace_confusables(body.html.inner_text),
'(?:Sold|Bill)[\s\xa0]To(?:\:\s+|\n)[^\n]+\([ilo0-9]{3}\)[\s-]+[ilo0-9]{3}[\s-]+[ilo0-9]{4}.*\n'
)
or // (202)-800-1238
regex.icontains(strings.replace_confusables(body.html.inner_text),
'(?:Sold|Bill)[\s\xa0]To(?:\:\s+|\n)[^\n]+\([ilo0-9]{3}\)-[ilo0-9]{3}-[ilo0-9]{4}.*\n'
)
or // 202 800 1238
regex.icontains(strings.replace_confusables(body.html.inner_text),
'(?:Sold|Bill)[\s\xa0]To(?:\:\s+|\n)[^\n]+1\s?[ilo0-9]{3} [ilo0-9]{3} [ilo0-9]{4}.*\n'
) // 8123456789
or (
regex.icontains(strings.replace_confusables(body.html.inner_text),
'(?:Sold|Bill)[\s\xa0]To(?:\:\s+|\n)[^\n]+8\d{9}.*\n'
)
and regex.icontains(strings.replace_confusables(body.html.inner_text),
'\+1'
)
)
)
// all attachments are PDFs with callback phishing indicators Brands Required
or (
length(attachments) < 3
and all(attachments, .file_extension == "pdf")
// the attachment is a pdf with 1 page, and at least 60 ocr chars
and any(attachments,
(
.file_extension == "pdf"
and any(file.explode(.), .scan.exiftool.page_count < 3)
and any(file.explode(.), length(.scan.ocr.raw) > 60)
// 4 of the following strings are found
and (
any(file.explode(.),
4 of (
strings.icontains(.scan.ocr.raw, "purchase"),
strings.icontains(.scan.ocr.raw, "payment"),
strings.icontains(.scan.ocr.raw, "transaction"),
strings.icontains(.scan.ocr.raw, "subscription"),
strings.icontains(.scan.ocr.raw, "antivirus"),
strings.icontains(.scan.ocr.raw, "order"),
strings.icontains(.scan.ocr.raw, "support"),
strings.icontains(.scan.ocr.raw, "help line"),
strings.icontains(.scan.ocr.raw, "receipt"),
strings.icontains(.scan.ocr.raw, "invoice"),
strings.icontains(.scan.ocr.raw, "call"),
strings.icontains(.scan.ocr.raw, "helpdesk"),
strings.icontains(.scan.ocr.raw, "cancel"),
strings.icontains(.scan.ocr.raw, "renew"),
strings.icontains(.scan.ocr.raw, "refund"),
strings.icontains(.scan.ocr.raw, "amount"),
strings.icontains(.scan.ocr.raw, "crypto"),
strings.icontains(.scan.ocr.raw, "wallet address"),
regex.icontains(.scan.ocr.raw, '\$\d{3}\.\d{2}\b'),
regex.icontains(.scan.ocr.raw,
'(\+\d|1.(\()?\d{3}(\))?\D\d{3}\D\d{4})'
),
regex.icontains(.scan.ocr.raw,
'\+?(\d{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}\d{3}[\s\.\-⋅]{0,5}\d{4}'
)
)
// 1 of the following strings is found, representing common Callback brands
and (
1 of (
strings.icontains(.scan.ocr.raw, "geek squad"),
strings.icontains(.scan.ocr.raw, "lifelock"),
strings.icontains(.scan.ocr.raw, "best buy"),
strings.icontains(.scan.ocr.raw, "mcafee"),
strings.icontains(.scan.ocr.raw, "norton"),
strings.icontains(.scan.ocr.raw, "ebay"),
strings.icontains(.scan.ocr.raw, "paypal"),
)
// add additional logic for common language for paypal, which is a valid payment method
and not regex.icontains(.scan.ocr.raw,
"paypal[^\n]+accepted"
)
and not regex.icontains(.scan.ocr.raw,
"pay(ment)?.{0,30}(via|by) paypal"
)
and not regex.icontains(.scan.ocr.raw,
'\d{2,4} norton'
) // an address, example: 1234 Norton Road
and not regex.icontains(.scan.ocr.raw,
'sold on.{0,20}ebay'
) // "cannot be sold on Amazon and EBay", from a legit vendor
)
)
or any(ml.logo_detect(.).brands,
.name in ("PayPal", "Norton", "GeekSquad", "Ebay")
)
)
)
)
)
)
//
// This rule makes use of a beta feature and is subject to change without notice
// using the beta feature in custom rules is not suggested until it has been formally released
//
and (
not beta.profile.by_reply_to().any_messages_benign
or length(headers.reply_to) == 0
)
attack_types:
- "Callback Phishing"
tactics_and_techniques:
- "Evasion"
- "Free email provider"
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Computer Vision"
- "Content analysis"
- "Header analysis"
- "Optical Character Recognition"
id: "f2fe1294-ca43-5290-84fd-02f8149c5de7"