From a3b082a568b7343f6558f70a46846e9e3c7fa6e3 Mon Sep 17 00:00:00 2001
From: Sam Scholten <sam@sublimesecurity.com>
Date: Mon, 6 Nov 2023 10:42:08 -0500
Subject: [PATCH] Update attachment_callback_phish_with_pdf.yml (#919)

---
 .../attachment_callback_phish_with_pdf.yml    | 36 +++++++++++--------
 1 file changed, 21 insertions(+), 15 deletions(-)

diff --git a/detection-rules/attachment_callback_phish_with_pdf.yml b/detection-rules/attachment_callback_phish_with_pdf.yml
index e707ca72c80..5a6e88d96d7 100644
--- a/detection-rules/attachment_callback_phish_with_pdf.yml
+++ b/detection-rules/attachment_callback_phish_with_pdf.yml
@@ -14,19 +14,19 @@ source: |
       and not profile.by_sender().any_false_positives
     )
   )
-
+  
   // single attachment
   and length(attachments) == 1
-
+  
   // sender is freemail
   and sender.email.domain.root_domain in $free_email_providers
-
+  
   // the attachment is a pdf with 1 page, and at least 60 ocr chars
   and any(attachments,
           .file_extension == "pdf"
           and any(file.explode(.), .scan.exiftool.page_count == 1)
           and any(file.explode(.), length(.scan.ocr.raw) > 60)
-
+  
           // 4 of the following strings are found        
           and any(file.explode(.),
                   4 of (
@@ -48,20 +48,26 @@ source: |
                     regex.icontains(.scan.ocr.raw, '\+\d')
                   )
           )
-
+  
           // 1 of the following strings is found, representing common Callback brands          
-          and any(file.explode(.),
-                  1 of (
-                    strings.icontains(.scan.ocr.raw, "geek squad"),
-                    strings.icontains(.scan.ocr.raw, "lifelock"),
-                    strings.icontains(.scan.ocr.raw, "best buy"),
-                    strings.icontains(.scan.ocr.raw, "mcafee"),
-                    strings.icontains(.scan.ocr.raw, "norton"),
-                    strings.icontains(.scan.ocr.raw, "ebay"),
-                    strings.icontains(.scan.ocr.raw, "paypal"),
-                  )
+          and (
+            any(file.explode(.),
+                1 of (
+                  strings.icontains(.scan.ocr.raw, "geek squad"),
+                  strings.icontains(.scan.ocr.raw, "lifelock"),
+                  strings.icontains(.scan.ocr.raw, "best buy"),
+                  strings.icontains(.scan.ocr.raw, "mcafee"),
+                  strings.icontains(.scan.ocr.raw, "norton"),
+                  strings.icontains(.scan.ocr.raw, "ebay"),
+                  strings.icontains(.scan.ocr.raw, "paypal"),
+                )
+            )
+            or any(ml.logo_detect(.).brands,
+                   .name in ("PayPal", "Norton", "GeekSquad", "Ebay")
+            )
           )
   )
+
 attack_types:
   - "Callback Phishing"
 tactics_and_techniques: