/
callback_phishing_nlu_body_or_attachments.yml
67 lines (64 loc) · 2.16 KB
/
callback_phishing_nlu_body_or_attachments.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
name: "Callback Phishing in body or attachment (untrusted sender)"
description: |
Detects callback scams by analyzing text within images of receipts or invoices from untrusted senders.
type: "rule"
severity: "medium"
source: |
type.inbound
and length(attachments) < 5
and (
any(attachments,
(.file_type in $file_types_images or .file_type == "pdf")
and any(file.explode(.),
// exclude images taken with mobile cameras and screenshots from android
not any(.scan.exiftool.fields,
.key == "Model"
or (
.key == "Software"
and strings.starts_with(.value, "Android")
)
or (.key == "UserComment" and .value == "Screenshot")
)
and any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name == "callback_scam"
and .confidence in ("medium", "high")
)
)
)
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name in ("callback_scam")
and .confidence in ("medium", "high")
and length(body.current_thread.text) < 1500
)
)
and not (
any(headers.domains, .domain == "smtp-out.gcp.bigcommerce.net")
and strings.icontains(body.html.raw, "bigcommerce.com")
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_false_positives
)
)
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
attack_types:
- "Callback Phishing"
tactics_and_techniques:
- "Out of band pivot"
- "Social engineering"
detection_methods:
- "Content analysis"
- "File analysis"
- "Optical Character Recognition"
- "Natural Language Understanding"
- "Sender analysis"
id: "b93c6f94-c9a3-587a-8eb5-6856754f8222"