diff --git a/detection-rules/abused_payoneer_callback.yml b/detection-rules/abused_payoneer_callback.yml new file mode 100644 index 00000000000..a65ec818b53 --- /dev/null +++ b/detection-rules/abused_payoneer_callback.yml @@ -0,0 +1,102 @@ +name: "Service Abuse: Payoneer Callback Scam" +description: "A fraudulent invoice/receipt found in the body of the message sent by leveraging Payoneer's invoicing service. Callback Phishing is an attempt by an attacker to solicit the victim (recipient) to call a phone number. The resulting interaction could lead to a multitude of attacks ranging from Financial theft, Remote Access Trojan (RAT) Installation or Ransomware Deployment." +type: "rule" +severity: "medium" +source: | + type.inbound + and length(attachments) == 0 + and sender.email.domain.root_domain in ("payoneer.com") + + and ( + ( + // icontains a phone number + ( + regex.icontains(strings.replace_confusables(body.current_thread.text), + '.*\+?([lo0-9]{1}.)?\(?[lo0-9]{3}?\)?.[lo0-9]{3}.?[lo0-9]{4}.*\n' + ) + or regex.icontains(strings.replace_confusables(body.current_thread.text), + '.*\+[lo0-9]{1,3}[lo0-9]{10}.*\n' + ) + or // +12028001238 + regex.icontains(strings.replace_confusables(body.current_thread.text), + '.*[lo0-9]{3}\.[lo0-9]{3}\.[lo0-9]{4}.*\n' + ) + or // 202-800-1238 + regex.icontains(strings.replace_confusables(body.current_thread.text), + '.*[lo0-9]{3}-[lo0-9]{3}-[lo0-9]{4}.*\n' + ) + or // (202) 800-1238 + regex.icontains(strings.replace_confusables(body.current_thread.text), + '.*\([lo0-9]{3}\)\s[lo0-9]{3}-[lo0-9]{4}.*\n' + ) + or // (202)-800-1238 + regex.icontains(strings.replace_confusables(body.current_thread.text), + '.*\([lo0-9]{3}\)-[lo0-9]{3}-[lo0-9]{4}.*\n' + ) + or ( // 8123456789 + regex.icontains(strings.replace_confusables(body.current_thread.text), + '.*8[lo0-9]{9}.*\n' + ) + and regex.icontains(strings.replace_confusables(body.current_thread.text + ), + '\+[1l]' + ) + ) + ) + and ( + ( + // list of keywords taken from + // https://github.com/sublime-security/sublime-rules/blob/main/detection-rules/paypal_invoice_abuse.yml + 4 of ( + strings.ilike(body.html.inner_text, '*you did not*'), + strings.ilike(body.html.inner_text, '*is not for*'), + strings.ilike(body.html.inner_text, '*done by you*'), + regex.icontains(body.html.inner_text, "didn\'t ma[kd]e this"), + strings.ilike(body.html.inner_text, "*Fruad Alert*"), + strings.ilike(body.html.inner_text, "*Fraud Alert*"), + strings.ilike(body.html.inner_text, '*using your PayPal*'), + strings.ilike(body.html.inner_text, '*subscription*'), + strings.ilike(body.html.inner_text, '*antivirus*'), + strings.ilike(body.html.inner_text, '*order*'), + strings.ilike(body.html.inner_text, '*support*'), + strings.ilike(body.html.inner_text, '*receipt*'), + strings.ilike(body.html.inner_text, '*invoice*'), + strings.ilike(body.html.inner_text, '*Purchase*'), + strings.ilike(body.html.inner_text, '*transaction*'), + strings.ilike(body.html.inner_text, '*Market*Value*'), + strings.ilike(body.html.inner_text, '*BTC*'), + strings.ilike(body.html.inner_text, '*call*'), + strings.ilike(body.html.inner_text, '*get in touch with our*'), + strings.ilike(body.html.inner_text, '*quickly inform*'), + strings.ilike(body.html.inner_text, '*quickly reach *'), + strings.ilike(body.html.inner_text, '*detected unusual transactions*'), + strings.ilike(body.html.inner_text, '*cancel*'), + strings.ilike(body.html.inner_text, '*renew*'), + strings.ilike(body.html.inner_text, '*refund*'), + strings.ilike(body.html.inner_text, '*+1*'), + regex.icontains(body.html.inner_text, 'help.{0,3}desk'), + ) + ) + ) + ) + or ( + // Unicode confusables words obfuscated in note + regex.icontains(body.html.inner_text, + '\+𝟭|𝗽𝗮𝘆𝗺𝗲𝗻𝘁|𝗛𝗲𝗹𝗽 𝗗𝗲𝘀𝗸|𝗿𝗲𝗳𝘂𝗻𝗱|𝗮𝗻𝘁𝗶𝘃𝗶𝗿𝘂𝘀|𝗰𝗮𝗹𝗹|𝗰𝗮𝗻𝗰𝗲𝗹' + ) + ) + or strings.ilike(body.html.inner_text, '*kindly*') + ) + + +attack_types: + - "Callback Phishing" + - "BEC/Fraud" +tactics_and_techniques: + - "Evasion" + - "Social engineering" +detection_methods: + - "Sender analysis" + - "Header analysis" + - "Content analysis" +id: "b7fb174c-c5a0-567a-8090-6ca142d94562"