Sync from PR#2437

Update paypal_invoice_abuse.yml by @zoomequipd #2437 Source SHA ca133e3 Triggered by @zoomequipd
sublime-security · Feb 26, 2025 · 5975aa0 · 5975aa0
1 parent 115c667
commit 5975aa0
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/detection-rules/paypal_invoice_abuse.yml b/detection-rules/paypal_invoice_abuse.yml
@@ -0,0 +1,20 @@
+name: "PayPal Invoice Abuse"
+description: "A fraudulent invoice/receipt found in the body of the message sent by exploiting Paypal's invoicing service.\nCallback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. \nThe resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment.\n"
+type: "rule"
+references:
+  - "https://anderegg.ca/2023/02/01/a-novel-paypal-scam"
+severity: "medium"
+source: "type.inbound\nand length(attachments) == 0\nand sender.email.domain.root_domain in (\n  \"paypal.com\",\n  \"paypal.com.mx\",\n  \"paypal.com.br\",\n  \"paypal.com.ar\",\n  \"paypal.co.uk\"\n)\nand (\n  strings.ilike(body.html.display_text, \"*seller note*\")\n  or strings.ilike(body.html.display_text, \"*Note from *\")\n  or strings.ilike(body.html.display_text, \"*Address Updated:*\")\n  // payment notificiations that are sent to a recipient which is not the mailbox id\n  // attempts to include ones amplified via a DL\n  or (\n    strings.ilike(body.html.display_text, \"*You Sent *\")\n    and all(recipients.to,\n            .email.domain.domain not in $org_domains\n            and .email.email != mailbox.email.email\n    )\n  )\n  // phone number in subject\n  // the subject contains the seller's \"name\", attacks have been seen with the entire callback text in the seller's name\n  or (\n    regex.icontains(strings.replace_confusables(subject.subject),\n                    '.*\\+?([ilo0-9]{1}.)?\\(?[ilo0-9]{3}?\\)?.[ilo0-9]{3}.?[ilo0-9]{4}.*'\n    )\n    or regex.icontains(strings.replace_confusables(subject.subject),\n                       '.*\\+[ilo0-9]{1,3}[ilo0-9]{10}.*'\n    )\n    or // +12028001238\n regex.icontains(strings.replace_confusables(subject.subject),\n                 '.*[ilo0-9]{3}\\.[ilo0-9]{3}\\.[ilo0-9]{4}.*'\n    )\n    or // 202-800-1238\n regex.icontains(strings.replace_confusables(subject.subject),\n                 '.*[ilo0-9]{3}-[ilo0-9]{3}-[ilo0-9]{4}.*'\n    )\n    or // (202) 800-1238\n regex.icontains(strings.replace_confusables(subject.subject),\n                 '.*\\([ilo0-9]{3}\\)\\s[ilo0-9]{3}-[ilo0-9]{4}.*'\n    )\n    or // (202)-800-1238\n regex.icontains(strings.replace_confusables(subject.subject),\n                 '.*\\([ilo0-9]{3}\\)-[ilo0-9]{3}-[ilo0-9]{4}.*'\n    )\n    or ( // 8123456789\n      regex.icontains(strings.replace_confusables(subject.subject),\n                      '.*8[ilo0-9]{9}.*'\n      )\n      and regex.icontains(strings.replace_confusables(subject.subject),\n                          '\\+[1l]'\n      )\n    )\n  )\n)\nand (\n  (\n    // icontains a phone number\n    (\n      regex.icontains(strings.replace_confusables(body.current_thread.text),\n                      '.*\\+?([ilo0-9]{1}.)?\\(?[ilo0-9]{3}?\\)?.[ilo0-9]{3}.?[ilo0-9]{4}.*\\n'\n      )\n      or regex.icontains(strings.replace_confusables(body.current_thread.text),\n                         '.*\\+[ilo0-9]{1,3}[ilo0-9]{10}.*\\n'\n      )\n      or // +12028001238\n regex.icontains(strings.replace_confusables(body.current_thread.text),\n                 '.*[ilo0-9]{3}\\.[ilo0-9]{3}\\.[ilo0-9]{4}.*\\n'\n      )\n      or // 202-800-1238\n regex.icontains(strings.replace_confusables(body.current_thread.text),\n                 '.*[ilo0-9]{3}-[ilo0-9]{3}-[ilo0-9]{4}.*\\n'\n      )\n      or // (202) 800-1238\n regex.icontains(strings.replace_confusables(body.current_thread.text),\n                 '.*\\([ilo0-9]{3}\\)\\s[ilo0-9]{3}-[ilo0-9]{4}.*\\n'\n      )\n      or // (202)-800-1238\n regex.icontains(strings.replace_confusables(body.current_thread.text),\n                 '.*\\([ilo0-9]{3}\\)-[ilo0-9]{3}-[ilo0-9]{4}.*\\n'\n      )\n      or ( // 8123456789\n        regex.icontains(strings.replace_confusables(body.current_thread.text),\n                        '.*8[ilo0-9]{9}.*\\n'\n        )\n        and regex.icontains(strings.replace_confusables(body.current_thread.text\n                            ),\n                            '\\+[1l]'\n        )\n      )\n    )\n    and (\n      (\n        4 of (\n          strings.ilike(body.html.inner_text, '*you did not*'),\n          strings.ilike(body.html.inner_text, '*is not for*'),\n          strings.ilike(body.html.inner_text, '*done by you*'),\n          regex.icontains(body.html.inner_text, \"didn\\'t ma[kd]e this\"),\n          strings.ilike(body.html.inner_text, '*Fruad Alert*'),\n          strings.ilike(body.html.inner_text, '*Fraud Alert*'),\n          strings.ilike(body.html.inner_text, '*fraudulent*'),\n          strings.ilike(body.html.inner_text, '*using your PayPal*'),\n          strings.ilike(body.html.inner_text, '*subscription*'),\n          strings.ilike(body.html.inner_text, '*antivirus*'),\n          strings.ilike(body.html.inner_text, '*order*'),\n          strings.ilike(body.html.inner_text, '*support*'),\n          strings.ilike(body.html.inner_text, '*sincerely apologize*'),\n          strings.ilike(body.html.inner_text, '*receipt*'),\n          strings.ilike(body.html.inner_text, '*invoice*'),\n          strings.ilike(body.html.inner_text, '*Purchase*'),\n          strings.ilike(body.html.inner_text, '*transaction*'),\n          strings.ilike(body.html.inner_text, '*Market*Value*'),\n          strings.ilike(body.html.inner_text, '*BTC*'),\n          strings.ilike(body.html.inner_text, '*call*'),\n          strings.ilike(body.html.inner_text, '*get in touch with our*'),\n          strings.ilike(body.html.inner_text, '*quickly inform*'),\n          strings.ilike(body.html.inner_text, '*quickly reach *'),\n          strings.ilike(body.html.inner_text, '*detected unusual transactions*'),\n          strings.ilike(body.html.inner_text, '*without your authorization*'),\n          strings.ilike(body.html.inner_text, '*cancel*'),\n          strings.ilike(body.html.inner_text, '*renew*'),\n          strings.ilike(body.html.inner_text, '*refund*'),\n          strings.ilike(body.html.inner_text, '*+1*'),\n          regex.icontains(body.html.inner_text, 'help.{0,3}desk'),\n          strings.ilike(body.html.inner_text, '* your funds*'),\n          strings.ilike(body.html.inner_text, '* your checking*'),\n          strings.ilike(body.html.inner_text, '* your saving*'),\n          strings.ilike(body.html.inner_text, '*transfer*'),\n          strings.ilike(body.html.inner_text, '*secure your account*'),\n          strings.ilike(body.html.inner_text, '*recover your*'),\n          strings.ilike(body.html.inner_text, '*unusual activity*'),\n          strings.ilike(body.html.inner_text, '*suspicious transaction*'),\n          strings.ilike(body.html.inner_text, '*transaction history*'),\n          strings.ilike(body.html.inner_text, '*please ignore this*'),\n          strings.ilike(body.html.inner_text, '*report activity*'),\n\n        )\n      )\n      or regex.icontains(body.current_thread.text,\n                         'note from.{0,50}(?:call|reach|contact|paypal)'\n      )\n      or any(ml.nlu_classifier(body.current_thread.text).intents,\n             .name == \"callback_scam\"\n      )\n      or (\n        // Unicode confusables words obfuscated in note\n        regex.icontains(body.html.inner_text,\n                        '\\+\U0001D7ED|\U0001D5FD\U0001D5EE\U0001D606\U0001D5FA\U0001D5F2\U0001D5FB\U0001D601|\U0001D5DB\U0001D5F2\U0001D5F9\U0001D5FD \U0001D5D7\U0001D5F2\U0001D600\U0001D5F8|\U0001D5FF\U0001D5F2\U0001D5F3\U0001D602\U0001D5FB\U0001D5F1|\U0001D5EE\U0001D5FB\U0001D601\U0001D5F6\U0001D603\U0001D5F6\U0001D5FF\U0001D602\U0001D600|\U0001D5F0\U0001D5EE\U0001D5F9\U0001D5F9|\U0001D5F0\U0001D5EE\U0001D5FB\U0001D5F0\U0001D5F2\U0001D5F9'\n        )\n      )\n      or strings.ilike(body.html.inner_text, '*kindly*')\n    )\n  )\n)\n"
+attack_types:
+  - "BEC/Fraud"
+  - "Callback Phishing"
+tactics_and_techniques:
+  - "Evasion"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Header analysis"
+  - "Sender analysis"
+id: "0ff7a0d4-164d-5ff1-8765-783fa2008b0f"
+testing_pr: 2437
+testing_sha: ca133e3a3771abddd34fb3cb09e886349dbdec44