heroui logo

Attachment: Callback Phishing solicitation via pdf file

Sublime Rules

View Source
Summary
This detection rule identifies potential callback phishing attacks that utilize fraudulent PDF attachments to solicit victims. The rule targets emails with a single PDF attachment, which must meet specific criteria to trigger an alert. The attachment should contain less than three pages and have at least 60 characters identified through Optical Character Recognition (OCR). Additionally, the text in the PDF must include at least four specified keywords that are commonly associated with phishing scams, such as "purchase", "payment", "invoice", or phrases that imply urgency, such as "call us at". The detection also screens for certain sender characteristics, such as the use of free email providers or lesser-known domains, and checks for signs of evasion tactics seen in phishing attempts. This makes it a crucial rule for defending against financial theft, malware installation, and general phishing attacks.
Categories
  • Endpoint
  • Cloud
  • Web
Data Sources
  • File
  • Network Traffic
  • User Account
Created: 2023-03-03