-
Notifications
You must be signed in to change notification settings - Fork 50
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Create abused_payoneer_callback.yml by @zoomequipd #2063 Source SHA 5fd7bd1 Triggered by @zoomequipd
- Loading branch information
Sublime Rule Testing Bot
committed
Oct 26, 2024
1 parent
aea781b
commit 186307f
Showing
1 changed file
with
18 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| name: "Service Abuse: Payoneer Callback Scam" | ||
| description: "A fraudulent invoice/receipt found in the body of the message sent by leveraging Payoneer's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment." | ||
| type: "rule" | ||
| severity: "medium" | ||
| source: "type.inbound\nand length(attachments) == 0\nand sender.email.domain.root_domain in (\"payoneer.com\")\n\nand (\n (\n // icontains a phone number\n (\n regex.icontains(strings.replace_confusables(body.current_thread.text),\n '.*\\+?([lo0-9]{1}.)?\\(?[lo0-9]{3}?\\)?.[lo0-9]{3}.?[lo0-9]{4}.*\\n'\n )\n or regex.icontains(strings.replace_confusables(body.current_thread.text),\n '.*\\+[lo0-9]{1,3}[lo0-9]{10}.*\\n'\n )\n or // +12028001238\n regex.icontains(strings.replace_confusables(body.current_thread.text),\n '.*[lo0-9]{3}\\.[lo0-9]{3}\\.[lo0-9]{4}.*\\n'\n )\n or // 202-800-1238\n regex.icontains(strings.replace_confusables(body.current_thread.text),\n '.*[lo0-9]{3}-[lo0-9]{3}-[lo0-9]{4}.*\\n'\n )\n or // (202) 800-1238\n regex.icontains(strings.replace_confusables(body.current_thread.text),\n '.*\\([lo0-9]{3}\\)\\s[lo0-9]{3}-[lo0-9]{4}.*\\n'\n )\n or // (202)-800-1238\n regex.icontains(strings.replace_confusables(body.current_thread.text),\n '.*\\([lo0-9]{3}\\)-[lo0-9]{3}-[lo0-9]{4}.*\\n'\n )\n or ( // 8123456789\n regex.icontains(strings.replace_confusables(body.current_thread.text),\n '.*8[lo0-9]{9}.*\\n'\n )\n and regex.icontains(strings.replace_confusables(body.current_thread.text\n ),\n '\\+[1l]'\n )\n )\n )\n and (\n (\n 4 of (\n strings.ilike(body.html.inner_text, '*you did not*'),\n strings.ilike(body.html.inner_text, '*is not for*'),\n strings.ilike(body.html.inner_text, '*done by you*'),\n regex.icontains(body.html.inner_text, \"didn\\'t ma[kd]e this\"),\n strings.ilike(body.html.inner_text, \"*Fruad Alert*\"),\n strings.ilike(body.html.inner_text, '*using your PayPal*'),\n strings.ilike(body.html.inner_text, '*subscription*'),\n strings.ilike(body.html.inner_text, '*antivirus*'),\n strings.ilike(body.html.inner_text, '*order*'),\n strings.ilike(body.html.inner_text, '*support*'),\n strings.ilike(body.html.inner_text, '*receipt*'),\n strings.ilike(body.html.inner_text, '*invoice*'),\n strings.ilike(body.html.inner_text, '*Purchase*'),\n strings.ilike(body.html.inner_text, '*transaction*'),\n strings.ilike(body.html.inner_text, '*Market*Value*'),\n strings.ilike(body.html.inner_text, '*BTC*'),\n strings.ilike(body.html.inner_text, '*call*'),\n strings.ilike(body.html.inner_text, '*get in touch with our*'),\n strings.ilike(body.html.inner_text, '*quickly inform*'),\n strings.ilike(body.html.inner_text, '*quickly reach *'),\n strings.ilike(body.html.inner_text, '*detected unusual transactions*'),\n strings.ilike(body.html.inner_text, '*cancel*'),\n strings.ilike(body.html.inner_text, '*renew*'),\n strings.ilike(body.html.inner_text, '*refund*'),\n strings.ilike(body.html.inner_text, '*+1*'),\n strings.ilike(body.html.inner_text, '*help*desk*'),\n )\n )\n )\n )\n or (\n // Unicode confusables words obfuscated in note\n regex.icontains(body.html.inner_text,\n '\\+\U0001D7ED|\U0001D5FD\U0001D5EE\U0001D606\U0001D5FA\U0001D5F2\U0001D5FB\U0001D601|\U0001D5DB\U0001D5F2\U0001D5F9\U0001D5FD \U0001D5D7\U0001D5F2\U0001D600\U0001D5F8|\U0001D5FF\U0001D5F2\U0001D5F3\U0001D602\U0001D5FB\U0001D5F1|\U0001D5EE\U0001D5FB\U0001D601\U0001D5F6\U0001D603\U0001D5F6\U0001D5FF\U0001D602\U0001D600|\U0001D5F0\U0001D5EE\U0001D5F9\U0001D5F9|\U0001D5F0\U0001D5EE\U0001D5FB\U0001D5F0\U0001D5F2\U0001D5F9'\n )\n )\n or strings.ilike(body.html.inner_text, '*kindly*')\n)\n" | ||
| attack_types: | ||
| - "Callback Phishing" | ||
| - "BEC/Fraud" | ||
| tactics_and_techniques: | ||
| - "Evasion" | ||
| - "Social engineering" | ||
| detection_methods: | ||
| - "Sender analysis" | ||
| - "Header analysis" | ||
| - "Content analysis" | ||
| id: "b7fb174c-c5a0-567a-8090-6ca142d94562" | ||
| testing_pr: 2063 | ||
| testing_sha: 5fd7bd134123561c6eff61b29cf46f38512be7bf |