EXPLORE
Sign In
← Back to Explore
sublimehighRule

Callback phishing: AOL senders with suspicious HTML template or PDF attachment

Detects a specific behavioral pattern from AOL senders using consistent HTML templates and PDF attachment characteristics. The pattern includes particular Yahoo-style formatting with specific font families, and standardized PDF metadata when attachments are present.

MITRE ATT&CK

T1566.003T1598T1566
initial-access

Detection Query

type.inbound
// sender is aol
and sender.email.domain.root_domain == "aol.com"

// with no restored/benign messages
and not profile.by_sender_email().any_messages_benign

// there is a single recipient
and length(recipients.to) == 1
and length(recipients.cc) == 0
and length(recipients.bcc) == 0

// is not a reply
and headers.in_reply_to is null

// this is another way to limit replies but need to account for 
// a behavior where Yahoo/Aol seems to include it's own message ID as a reference
and length(headers.references) == 1

// all message-id values end in mail.yahoo.com, some benign messages use @aol.com
and strings.iends_with(headers.message_id, '@mail.yahoo.com>')

// All are using the legit Yahoo X-Mailer
// this removes AOL sent from iphones and other non AOL client
and strings.ends_with(headers.mailer, 'AolMailNorrin')

// exclude common recipients which interact with aol addresses that are commonly (but not always) benign 
// recipeint exclusions are suggested for other recipients
and (
  // no attachment
  (
    length(attachments) == 0
    // if there are no attachments focus on the HTML template being observed
    and (

      // yahoo div followed by <br>
      // // verdana, helvetica, sans-serif;
      strings.icontains(body.html.raw,
                        "<div class=\"yahoo-style-wrap\" style=\"font-family:verdana, helvetica, sans-serif;font-size:18px;\">\r\n<div dir=\"ltr\" data-setdir=\"false\"><br>\r\n"
      )
      // // Helvetica Neue, Helvetica, Arial, sans-serif;
      or strings.icontains(body.html.raw,
                           "<div class=\"yahoo-style-wrap\" style=\"font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:18px;\">\r\n<div dir=\"ltr\" data-setdir=\"false\"><br>\r\n"
      )
      // yahoo div followed by doctype 
      // // verdana, helvetica, sans-serif;
      or strings.icontains(body.html.raw,
                           "<div class=\"yahoo-style-wrap\" style=\"font-family:verdana, helvetica, sans-serif;font-size:18px;\">\r\n<div dir=\"ltr\" data-setdir=\"false\"><!DOCTYPE html>"
      )
      // // Helvetica Neue, Helvetica, Arial, sans-serif;
      or strings.icontains(body.html.raw,
                           "<div class=\"yahoo-style-wrap\" style=\"font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:18px;\">\r\n<div dir=\"ltr\" data-setdir=\"false\"><!DOCTYPE html>"
      )
    )
  )
  or (
    // if there is an attachment, there can be only one
    length(attachments) == 1
    and all(attachments,
            // it's a PDF, 
            .file_type == "pdf"
            and (
              // static content_id value for the attachments
              (
                .content_id == '<@yahoo.com>' or .content_id == '@yahoo.com'
              )
              // created by observed static PDF details
              or (

                // 
                // This rule makes use of a beta feature and is subject to change without notice
                // using the beta feature in custom rules is not suggested until it has been formally released
                // 
                beta.parse_exif(.).creator == "wkhtmltopdf 0.12.6"
                and beta.parse_exif(.).title is null
                and beta.parse_exif(.).producer == 'Qt 4.8.7'
              )
            )
    )
  )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Callback phishing: AOL senders with suspicious HTML template or PDF attachment"
description: "Detects a specific behavioral pattern from AOL senders using consistent HTML templates and PDF attachment characteristics. The pattern includes particular Yahoo-style formatting with specific font families, and standardized PDF metadata when attachments are present."
type: "rule"
severity: "high"
source: |
  type.inbound
  // sender is aol
  and sender.email.domain.root_domain == "aol.com"
  
  // with no restored/benign messages
  and not profile.by_sender_email().any_messages_benign
  
  // there is a single recipient
  and length(recipients.to) == 1
  and length(recipients.cc) == 0
  and length(recipients.bcc) == 0
  
  // is not a reply
  and headers.in_reply_to is null
  
  // this is another way to limit replies but need to account for 
  // a behavior where Yahoo/Aol seems to include it's own message ID as a reference
  and length(headers.references) == 1
  
  // all message-id values end in mail.yahoo.com, some benign messages use @aol.com
  and strings.iends_with(headers.message_id, '@mail.yahoo.com>')
  
  // All are using the legit Yahoo X-Mailer
  // this removes AOL sent from iphones and other non AOL client
  and strings.ends_with(headers.mailer, 'AolMailNorrin')
  
  // exclude common recipients which interact with aol addresses that are commonly (but not always) benign 
  // recipeint exclusions are suggested for other recipients
  and (
    // no attachment
    (
      length(attachments) == 0
      // if there are no attachments focus on the HTML template being observed
      and (
  
        // yahoo div followed by <br>
        // // verdana, helvetica, sans-serif;
        strings.icontains(body.html.raw,
                          "<div class=\"yahoo-style-wrap\" style=\"font-family:verdana, helvetica, sans-serif;font-size:18px;\">\r\n<div dir=\"ltr\" data-setdir=\"false\"><br>\r\n"
        )
        // // Helvetica Neue, Helvetica, Arial, sans-serif;
        or strings.icontains(body.html.raw,
                             "<div class=\"yahoo-style-wrap\" style=\"font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:18px;\">\r\n<div dir=\"ltr\" data-setdir=\"false\"><br>\r\n"
        )
        // yahoo div followed by doctype 
        // // verdana, helvetica, sans-serif;
        or strings.icontains(body.html.raw,
                             "<div class=\"yahoo-style-wrap\" style=\"font-family:verdana, helvetica, sans-serif;font-size:18px;\">\r\n<div dir=\"ltr\" data-setdir=\"false\"><!DOCTYPE html>"
        )
        // // Helvetica Neue, Helvetica, Arial, sans-serif;
        or strings.icontains(body.html.raw,
                             "<div class=\"yahoo-style-wrap\" style=\"font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:18px;\">\r\n<div dir=\"ltr\" data-setdir=\"false\"><!DOCTYPE html>"
        )
      )
    )
    or (
      // if there is an attachment, there can be only one
      length(attachments) == 1
      and all(attachments,
              // it's a PDF, 
              .file_type == "pdf"
              and (
                // static content_id value for the attachments
                (
                  .content_id == '<@yahoo.com>' or .content_id == '@yahoo.com'
                )
                // created by observed static PDF details
                or (
  
                  // 
                  // This rule makes use of a beta feature and is subject to change without notice
                  // using the beta feature in custom rules is not suggested until it has been formally released
                  // 
                  beta.parse_exif(.).creator == "wkhtmltopdf 0.12.6"
                  and beta.parse_exif(.).title is null
                  and beta.parse_exif(.).producer == 'Qt 4.8.7'
                )
              )
      )
    )
  )
attack_types:
  - "Callback Phishing"
tactics_and_techniques:
  - "Free email provider"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Header analysis"
  - "File analysis"
  - "HTML analysis"
  - "Exif analysis"
  - "Sender analysis"
id: "f6044eed-ec4b-5959-a4d6-60aa6a8ca76b"