[PR #3478] added rule: Callback phishing in body or attachment (untrusted sender)

github-actions[bot] · github-actions[bot] · commit f0795fce383f · 2025-11-05T14:33:38.000Z
diff --git a/detection-rules/3478_callback_phishing_nlu_body_or_attachments.yml b/detection-rules/3478_callback_phishing_nlu_body_or_attachments.yml
@@ -0,0 +1,84 @@
+name: "Callback phishing in body or attachment (untrusted sender)"
+description: |
+  Detects callback scams by analyzing text within images of receipts or invoices from untrusted senders.
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and length(attachments) < 5
+  and (
+    any(attachments,
+        (.file_type in $file_types_images or .file_type in ("pdf", "xlsx"))
+        and (
+          any(ml.nlu_classifier(beta.ocr(.).text).intents,
+              .name == "callback_scam" and .confidence in ("medium", "high")
+          )
+          or any(file.explode(.),
+  
+                 // exclude images taken with mobile cameras and screenshots from android
+                 not any(.scan.exiftool.fields,
+                         .key == "Model"
+                         or (
+                           .key == "Software"
+                           and strings.starts_with(.value, "Android")
+                         )
+                         or (.key == "UserComment" and .value == "Screenshot")
+                 )
+                 and any(ml.nlu_classifier(.scan.ocr.raw).intents,
+                         .name == "callback_scam"
+                         and .confidence in ("medium", "high")
+                 )
+          )
+        )
+        and (
+          // negate noreply unless a logo is found in the attachment
+          (
+            sender.email.local_part in ("no_reply", "noreply")
+            and any(ml.logo_detect(.).brands,
+                    .name in ("PayPal", "Norton", "GeekSquad", "Ebay", "McAfee")
+            )
+          )
+          or sender.email.local_part not in ("no_reply", "noreply")
+        )
+    )
+    or any(ml.nlu_classifier(body.current_thread.text).intents,
+           .name in ("callback_scam")
+           and .confidence in ("medium", "high")
+           and 270 < length(body.current_thread.text) < 1750
+    )
+  )
+  and not (
+    any(headers.domains, .domain == "smtp-out.gcp.bigcommerce.net")
+    and strings.icontains(body.html.raw, "bigcommerce.com")
+  )
+  and (
+    not profile.by_sender().solicited
+    or (
+      profile.by_sender().any_messages_malicious_or_spam
+      and not profile.by_sender().any_messages_benign
+    )
+  )
+  
+  // negate highly trusted sender domains unless they fail DMARC authentication
+  and (
+    (
+      sender.email.domain.root_domain in $high_trust_sender_root_domains
+      and not headers.auth_summary.dmarc.pass
+    )
+    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
+  )
+attack_types:
+  - "Callback Phishing"
+tactics_and_techniques:
+  - "Out of band pivot"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "File analysis"
+  - "Optical Character Recognition"
+  - "Natural Language Understanding"
+  - "Sender analysis"
+id: "c36585b7-adc0-5567-858a-969a603641ae"
+og_id: "b93c6f94-c9a3-587a-8eb5-6856754f8222"
+testing_pr: 3478
+testing_sha: 56c2cca866480c720d63f38118503eb59742abb4
