sublime-security · morriscode · Nov 20, 2023 · Nov 14, 2023 · Nov 14, 2023 · Nov 14, 2023
@@ -0,0 +1,80 @@
+name: "Callback Phishing: Branded invoice from sender/reply-to domain less than 30 days old"
+description: "This rule checks for invoicing content from a sender, reply-to domain or return-path domain less than 30d old. It also checks the body or the OCR'd screenshot for key words commonly abused in fraudulent invoicing attacks. "
+type: "rule"
+severity: "medium"
+source: |
+
+  type.inbound
+  // reply to domain that's less than 30d old and doesn't match the sender
+  and (
+    (
+      length(headers.reply_to) > 0
+      and all(headers.reply_to,
+              beta.whois(.email.domain).days_old <= 30
+              and .email.email != sender.email.email
+      )
+    )
+
+    // or the return path or sender domain is less than 30d old 
+    or beta.whois(headers.return_path.domain).days_old <= 30
+    or beta.whois(sender.email.domain).days_old <= 30
+  )
+
+  // invoicing with high confidence
+  and any(ml.nlu_classifier(body.current_thread.text).tags,
+          .name == "invoice" and .confidence == "high"
+  )
+
+  // commonly abused brands in body
+  and (
+    strings.ilike(body.current_thread.text,
+                  "*mcafee*",
+                  "*norton*",
+                  "*geek squad*",
+                  "*paypal*",
+                  "*ebay*",
+                  "*symantec*",
+                  "*best buy*",
+                  "*lifelock*",
+                  "*virus*"
+    )
+
+    // commonly abused brand logo
+    or any(ml.logo_detect(beta.message_screenshot()).brands,
+           .name in ("PayPal", "Norton", "GeekSquad", "Ebay")
+    )
+
+    // check message screenshot ocr for commonly abused brands
+    or any(file.explode(beta.message_screenshot()),
+           1 of (
+             strings.icontains(.scan.ocr.raw, "geek squad"),
+             strings.icontains(.scan.ocr.raw, "lifelock"),
+             strings.icontains(.scan.ocr.raw, "best buy"),
+             strings.icontains(.scan.ocr.raw, "mcafee"),
+             strings.icontains(.scan.ocr.raw, "norton"),
+             strings.icontains(.scan.ocr.raw, "ebay"),
+             strings.icontains(.scan.ocr.raw, "paypal"),
+             strings.icontains(.scan.ocr.raw, "virus"),
+           )
+    )
+  )
+
+  // phone number regex
+  and regex.icontains(body.current_thread.text,
+                      '\+?(\d{1}.)?\(?\d{3}?\)?.\d{3}.?\d{4}'
+  )
+  and not profile.by_sender().solicited
+  and not profile.by_sender().any_false_positives
+
+attack_types:
+  - "Callback Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Out of band pivot"
+  - "Social engineering"
+detection_methods:
+  - "Header analysis"
+  - "Natural Language Understanding"
+  - "Optical Character Recognition"
+  - "Whois"
+id: "e6f4af53-dbb6-5917-acee-bfd7d8042c03"