From 4c1f72befd94959db231c789b7145eb98a80a183 Mon Sep 17 00:00:00 2001
From: Brandon Murphy <4827852+zoomequipd@users.noreply.github.com>
Date: Tue, 5 Nov 2024 15:10:14 -0600
Subject: [PATCH] Create abused_payoneer_callback.yml (#2063)

Co-authored-by: ID Generator <hello@sublimesecurity.com>
---
 detection-rules/abused_payoneer_callback.yml | 102 +++++++++++++++++++
 1 file changed, 102 insertions(+)
 create mode 100644 detection-rules/abused_payoneer_callback.yml

diff --git a/detection-rules/abused_payoneer_callback.yml b/detection-rules/abused_payoneer_callback.yml
new file mode 100644
index 00000000000..a65ec818b53
--- /dev/null
+++ b/detection-rules/abused_payoneer_callback.yml
@@ -0,0 +1,102 @@
+name: "Service Abuse: Payoneer Callback Scam"
+description: "A fraudulent invoice/receipt found in the body of the message sent by leveraging Payoneer's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and length(attachments) == 0
+  and sender.email.domain.root_domain in ("payoneer.com")
+  
+  and (
+    (
+      // icontains a phone number
+      (
+        regex.icontains(strings.replace_confusables(body.current_thread.text),
+                        '.*\+?([lo0-9]{1}.)?\(?[lo0-9]{3}?\)?.[lo0-9]{3}.?[lo0-9]{4}.*\n'
+        )
+        or regex.icontains(strings.replace_confusables(body.current_thread.text),
+                           '.*\+[lo0-9]{1,3}[lo0-9]{10}.*\n'
+        )
+        or // +12028001238
+       regex.icontains(strings.replace_confusables(body.current_thread.text),
+                   '.*[lo0-9]{3}\.[lo0-9]{3}\.[lo0-9]{4}.*\n'
+        )
+        or // 202-800-1238
+       regex.icontains(strings.replace_confusables(body.current_thread.text),
+                   '.*[lo0-9]{3}-[lo0-9]{3}-[lo0-9]{4}.*\n'
+        )
+        or // (202) 800-1238
+       regex.icontains(strings.replace_confusables(body.current_thread.text),
+                   '.*\([lo0-9]{3}\)\s[lo0-9]{3}-[lo0-9]{4}.*\n'
+        )
+        or // (202)-800-1238
+       regex.icontains(strings.replace_confusables(body.current_thread.text),
+                   '.*\([lo0-9]{3}\)-[lo0-9]{3}-[lo0-9]{4}.*\n'
+        )
+        or ( // 8123456789
+          regex.icontains(strings.replace_confusables(body.current_thread.text),
+                          '.*8[lo0-9]{9}.*\n'
+          )
+          and regex.icontains(strings.replace_confusables(body.current_thread.text
+                              ),
+                              '\+[1l]'
+          )
+        )
+      )
+      and (
+        (
+          // list of keywords taken from
+          // https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/paypal_invoice_abuse.yml
+          4 of (
+            strings.ilike(body.html.inner_text, '*you did not*'),
+            strings.ilike(body.html.inner_text, '*is not for*'),
+            strings.ilike(body.html.inner_text, '*done by you*'),
+            regex.icontains(body.html.inner_text, "didn\'t ma[kd]e this"),
+            strings.ilike(body.html.inner_text, "*Fruad Alert*"),
+            strings.ilike(body.html.inner_text, "*Fraud Alert*"),
+            strings.ilike(body.html.inner_text, '*using your PayPal*'),
+            strings.ilike(body.html.inner_text, '*subscription*'),
+            strings.ilike(body.html.inner_text, '*antivirus*'),
+            strings.ilike(body.html.inner_text, '*order*'),
+            strings.ilike(body.html.inner_text, '*support*'),
+            strings.ilike(body.html.inner_text, '*receipt*'),
+            strings.ilike(body.html.inner_text, '*invoice*'),
+            strings.ilike(body.html.inner_text, '*Purchase*'),
+            strings.ilike(body.html.inner_text, '*transaction*'),
+            strings.ilike(body.html.inner_text, '*Market*Value*'),
+            strings.ilike(body.html.inner_text, '*BTC*'),
+            strings.ilike(body.html.inner_text, '*call*'),
+            strings.ilike(body.html.inner_text, '*get in touch with our*'),
+            strings.ilike(body.html.inner_text, '*quickly inform*'),
+            strings.ilike(body.html.inner_text, '*quickly reach *'),
+            strings.ilike(body.html.inner_text, '*detected unusual transactions*'),
+            strings.ilike(body.html.inner_text, '*cancel*'),
+            strings.ilike(body.html.inner_text, '*renew*'),
+            strings.ilike(body.html.inner_text, '*refund*'),
+            strings.ilike(body.html.inner_text, '*+1*'),
+            regex.icontains(body.html.inner_text, 'help.{0,3}desk'),
+          )
+        )
+      )
+    )
+    or (
+      // Unicode confusables words obfuscated in note
+      regex.icontains(body.html.inner_text,
+                      '\+𝟭|𝗽𝗮𝘆𝗺𝗲𝗻𝘁|𝗛𝗲𝗹𝗽 𝗗𝗲𝘀𝗸|𝗿𝗲𝗳𝘂𝗻𝗱|𝗮𝗻𝘁𝗶𝘃𝗶𝗿𝘂𝘀|𝗰𝗮𝗹𝗹|𝗰𝗮𝗻𝗰𝗲𝗹'
+      )
+    )
+    or strings.ilike(body.html.inner_text, '*kindly*')
+  )
+  
+
+attack_types:
+  - "Callback Phishing"
+  - "BEC/Fraud"
+tactics_and_techniques:
+  - "Evasion"
+  - "Social engineering"
+detection_methods:
+  - "Sender analysis"
+  - "Header analysis"
+  - "Content analysis"
+id: "b7fb174c-c5a0-567a-8090-6ca142d94562"