From 186307ff88b12187527376fced996ddc78427406 Mon Sep 17 00:00:00 2001
From: Sublime Rule Testing Bot <hello@sublimesecurity.com>
Date: Sat, 26 Oct 2024 00:10:34 +0000
Subject: [PATCH] Sync from PR#2063

Create abused_payoneer_callback.yml by @zoomequipd
https://github.com/sublime-security/sublime-rules/pull/2063
Source SHA 5fd7bd134123561c6eff61b29cf46f38512be7bf
Triggered by @zoomequipd
---
 detection-rules/abused_payoneer_callback.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 detection-rules/abused_payoneer_callback.yml

diff --git a/detection-rules/abused_payoneer_callback.yml b/detection-rules/abused_payoneer_callback.yml
new file mode 100644
index 00000000000..ab0392bdeed
--- /dev/null
+++ b/detection-rules/abused_payoneer_callback.yml
@@ -0,0 +1,18 @@
+name: "Service Abuse: Payoneer Callback Scam"
+description: "A fraudulent invoice/receipt found in the body of the message sent by leveraging Payoneer's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment."
+type: "rule"
+severity: "medium"
+source: "type.inbound\nand length(attachments) == 0\nand sender.email.domain.root_domain in (\"payoneer.com\")\n\nand (\n  (\n    // icontains a phone number\n    (\n      regex.icontains(strings.replace_confusables(body.current_thread.text),\n                      '.*\\+?([lo0-9]{1}.)?\\(?[lo0-9]{3}?\\)?.[lo0-9]{3}.?[lo0-9]{4}.*\\n'\n      )\n      or regex.icontains(strings.replace_confusables(body.current_thread.text),\n                         '.*\\+[lo0-9]{1,3}[lo0-9]{10}.*\\n'\n      )\n      or // +12028001238\n     regex.icontains(strings.replace_confusables(body.current_thread.text),\n                 '.*[lo0-9]{3}\\.[lo0-9]{3}\\.[lo0-9]{4}.*\\n'\n      )\n      or // 202-800-1238\n     regex.icontains(strings.replace_confusables(body.current_thread.text),\n                 '.*[lo0-9]{3}-[lo0-9]{3}-[lo0-9]{4}.*\\n'\n      )\n      or // (202) 800-1238\n     regex.icontains(strings.replace_confusables(body.current_thread.text),\n                 '.*\\([lo0-9]{3}\\)\\s[lo0-9]{3}-[lo0-9]{4}.*\\n'\n      )\n      or // (202)-800-1238\n     regex.icontains(strings.replace_confusables(body.current_thread.text),\n                 '.*\\([lo0-9]{3}\\)-[lo0-9]{3}-[lo0-9]{4}.*\\n'\n      )\n      or ( // 8123456789\n        regex.icontains(strings.replace_confusables(body.current_thread.text),\n                        '.*8[lo0-9]{9}.*\\n'\n        )\n        and regex.icontains(strings.replace_confusables(body.current_thread.text\n                            ),\n                            '\\+[1l]'\n        )\n      )\n    )\n    and (\n      (\n        4 of (\n          strings.ilike(body.html.inner_text, '*you did not*'),\n          strings.ilike(body.html.inner_text, '*is not for*'),\n          strings.ilike(body.html.inner_text, '*done by you*'),\n          regex.icontains(body.html.inner_text, \"didn\\'t ma[kd]e this\"),\n          strings.ilike(body.html.inner_text, \"*Fruad Alert*\"),\n          strings.ilike(body.html.inner_text, '*using your PayPal*'),\n          strings.ilike(body.html.inner_text, '*subscription*'),\n          strings.ilike(body.html.inner_text, '*antivirus*'),\n          strings.ilike(body.html.inner_text, '*order*'),\n          strings.ilike(body.html.inner_text, '*support*'),\n          strings.ilike(body.html.inner_text, '*receipt*'),\n          strings.ilike(body.html.inner_text, '*invoice*'),\n          strings.ilike(body.html.inner_text, '*Purchase*'),\n          strings.ilike(body.html.inner_text, '*transaction*'),\n          strings.ilike(body.html.inner_text, '*Market*Value*'),\n          strings.ilike(body.html.inner_text, '*BTC*'),\n          strings.ilike(body.html.inner_text, '*call*'),\n          strings.ilike(body.html.inner_text, '*get in touch with our*'),\n          strings.ilike(body.html.inner_text, '*quickly inform*'),\n          strings.ilike(body.html.inner_text, '*quickly reach *'),\n          strings.ilike(body.html.inner_text, '*detected unusual transactions*'),\n          strings.ilike(body.html.inner_text, '*cancel*'),\n          strings.ilike(body.html.inner_text, '*renew*'),\n          strings.ilike(body.html.inner_text, '*refund*'),\n          strings.ilike(body.html.inner_text, '*+1*'),\n          strings.ilike(body.html.inner_text, '*help*desk*'),\n        )\n      )\n    )\n  )\n  or (\n    // Unicode confusables words obfuscated in note\n    regex.icontains(body.html.inner_text,\n                    '\\+\U0001D7ED|\U0001D5FD\U0001D5EE\U0001D606\U0001D5FA\U0001D5F2\U0001D5FB\U0001D601|\U0001D5DB\U0001D5F2\U0001D5F9\U0001D5FD \U0001D5D7\U0001D5F2\U0001D600\U0001D5F8|\U0001D5FF\U0001D5F2\U0001D5F3\U0001D602\U0001D5FB\U0001D5F1|\U0001D5EE\U0001D5FB\U0001D601\U0001D5F6\U0001D603\U0001D5F6\U0001D5FF\U0001D602\U0001D600|\U0001D5F0\U0001D5EE\U0001D5F9\U0001D5F9|\U0001D5F0\U0001D5EE\U0001D5FB\U0001D5F0\U0001D5F2\U0001D5F9'\n    )\n  )\n  or strings.ilike(body.html.inner_text, '*kindly*')\n)\n"
+attack_types:
+  - "Callback Phishing"
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Evasion"
+  - "Social engineering"
+detection_methods:
+  - "Sender analysis"
+  - "Header analysis"
+  - "Content analysis"
+id: "b7fb174c-c5a0-567a-8090-6ca142d94562"
+testing_pr: 2063
+testing_sha: 5fd7bd134123561c6eff61b29cf46f38512be7bf