
Summary
This detection rule targets Callback Phishing attempts that are conducted through fraudulent invoice or receipt images attached to emails. The underlying strategy is to lure victims into calling a specified phone number where attackers can execute various malicious activities, including financial theft, installing Remote Access Trojans (RATs), or deploying ransomware. The rule employs complex logical conditions based on sender profiles, email prevalence, attachment characteristics, and content analysis to identify potentially dangerous emails. Images that appear to be generated from mobile devices are specifically monitored to avoid benign detections. The rule checks for key phrases typically associated with financial transactions and solicitation in the optical character recognition (OCR) scan of the attachments, as well as scanning for major brand logos that could indicate impersonation. The combination of these checks helps ensure that only genuine threats are flagged, minimizing the chance of false positives while maintaining high detection efficacy against phishing attacks.
Categories
- Web
- Endpoint
- Identity Management
- Cloud
Data Sources
- Image
- User Account
- Network Traffic
- File
Created: 2023-03-03