Skip to content

Commit

Permalink
Update paypal_invoice_abuse.yml (#2184)
Browse files Browse the repository at this point in the history
  • Loading branch information
@morriscode
morriscode authored Dec 6, 2024
1 parent a5b4f98 commit 47b474c
Showing 1 changed file with 26 additions and 14 deletions.
40 changes: 26 additions & 14 deletions detection-rules/paypal_invoice_abuse.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,13 @@ severity: "medium"
source: |
type.inbound
and length(attachments) == 0
and sender.email.domain.root_domain in ("paypal.com", "paypal.com.mx", "paypal.com.br", "paypal.com.ar", "paypal.co.uk")
and sender.email.domain.root_domain in (
"paypal.com",
"paypal.com.mx",
"paypal.com.br",
"paypal.com.ar",
"paypal.co.uk"
)
and (
strings.ilike(body.html.display_text, "*seller note*")
or strings.ilike(body.html.display_text, "*Note from *")
Expand All @@ -26,19 +32,19 @@ source: |
'.*\+[lo0-9]{1,3}[lo0-9]{10}.*\n'
)
or // +12028001238
regex.icontains(strings.replace_confusables(body.current_thread.text),
regex.icontains(strings.replace_confusables(body.current_thread.text),
'.*[lo0-9]{3}\.[lo0-9]{3}\.[lo0-9]{4}.*\n'
)
or // 202-800-1238
regex.icontains(strings.replace_confusables(body.current_thread.text),
regex.icontains(strings.replace_confusables(body.current_thread.text),
'.*[lo0-9]{3}-[lo0-9]{3}-[lo0-9]{4}.*\n'
)
or // (202) 800-1238
regex.icontains(strings.replace_confusables(body.current_thread.text),
regex.icontains(strings.replace_confusables(body.current_thread.text),
'.*\([lo0-9]{3}\)\s[lo0-9]{3}-[lo0-9]{4}.*\n'
)
or // (202)-800-1238
regex.icontains(strings.replace_confusables(body.current_thread.text),
regex.icontains(strings.replace_confusables(body.current_thread.text),
'.*\([lo0-9]{3}\)-[lo0-9]{3}-[lo0-9]{4}.*\n'
)
or ( // 8123456789
Expand All @@ -58,13 +64,15 @@ source: |
strings.ilike(body.html.inner_text, '*is not for*'),
strings.ilike(body.html.inner_text, '*done by you*'),
regex.icontains(body.html.inner_text, "didn\'t ma[kd]e this"),
strings.ilike(body.html.inner_text, "*Fruad Alert*"),
strings.ilike(body.html.inner_text, "*Fraud Alert*"),
strings.ilike(body.html.inner_text, '*Fruad Alert*'),
strings.ilike(body.html.inner_text, '*Fraud Alert*'),
strings.ilike(body.html.inner_text, '*fraudulent*'),
strings.ilike(body.html.inner_text, '*using your PayPal*'),
strings.ilike(body.html.inner_text, '*subscription*'),
strings.ilike(body.html.inner_text, '*antivirus*'),
strings.ilike(body.html.inner_text, '*order*'),
strings.ilike(body.html.inner_text, '*support*'),
strings.ilike(body.html.inner_text, '*sincerely apologize*'),
strings.ilike(body.html.inner_text, '*receipt*'),
strings.ilike(body.html.inner_text, '*invoice*'),
strings.ilike(body.html.inner_text, '*Purchase*'),
Expand All @@ -76,6 +84,7 @@ source: |
strings.ilike(body.html.inner_text, '*quickly inform*'),
strings.ilike(body.html.inner_text, '*quickly reach *'),
strings.ilike(body.html.inner_text, '*detected unusual transactions*'),
strings.ilike(body.html.inner_text, '*without your authorization*'),
strings.ilike(body.html.inner_text, '*cancel*'),
strings.ilike(body.html.inner_text, '*renew*'),
strings.ilike(body.html.inner_text, '*refund*'),
Expand All @@ -86,15 +95,18 @@ source: |
or regex.icontains(body.current_thread.text,
'note from.{0,50}(?:call|reach|contact|paypal)'
)
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "callback_scam"
)
or (
// Unicode confusables words obfuscated in note
regex.icontains(body.html.inner_text,
'\+𝟭|𝗽𝗮𝘆𝗺𝗲𝗻𝘁|𝗛𝗲𝗹𝗽 𝗗𝗲𝘀𝗸|𝗿𝗲𝗳𝘂𝗻𝗱|𝗮𝗻𝘁𝗶𝘃𝗶𝗿𝘂𝘀|𝗰𝗮𝗹𝗹|𝗰𝗮𝗻𝗰𝗲𝗹'
)
)
or strings.ilike(body.html.inner_text, '*kindly*')
)
)
or (
// Unicode confusables words obfuscated in note
regex.icontains(body.html.inner_text,
'\+𝟭|𝗽𝗮𝘆𝗺𝗲𝗻𝘁|𝗛𝗲𝗹𝗽 𝗗𝗲𝘀𝗸|𝗿𝗲𝗳𝘂𝗻𝗱|𝗮𝗻𝘁𝗶𝘃𝗶𝗿𝘂𝘀|𝗰𝗮𝗹𝗹|𝗰𝗮𝗻𝗰𝗲𝗹'
)
)
or strings.ilike(body.html.inner_text, '*kindly*')
)
attack_types:
- "BEC/Fraud"
Expand Down

0 comments on commit 47b474c

Please sign in to comment.