sms-fraud examples

Hunt Hypothesis

The hypothesis is that the detected behavior may indicate an adversary attempting to exploit SMS-based fraud by leveraging compromised accounts to send malicious or deceptive messages. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential fraud attempts before they escalate into larger security incidents.

YARA Rule

rule sms_fraud : MSACM32 android
{
		meta:
		author = "Fernando Denis https://twitter.com/fdrg21"
		reference = "https://koodous.com/"
		description = "sms-fraud examples"
		sample = "8b9cabd2dafbba57bc35a19b83bf6027d778f3b247e27262ced618e031f9ca3d c52112b45164b37feeb81e0b5c4fcbbed3cfce9a2782a2a5001fb37cfb41e993"

	strings:
		$string_a = "MSACM32.dll"
		$string_b = "android.provider.Telephony.SMS_RECEIVED"
		$string_c = "MAIN_TEXT_TAG"

	condition:
		all of ($string_*) and
		androguard.permission(/android.permission.SEND_SMS/)
		
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://koodous.com/
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using sms-cli to send a scheduled maintenance alert to all users via SMS.
  Filter/Exclusion: Exclude traffic from the admin user account or IP address used for scheduled jobs, e.g., user = "admin" OR src_ip = "192.168.1.100".

• Scenario: A CI/CD pipeline (e.g., Jenkins or GitLab CI) is configured to send build status notifications via SMS to the development team.
  Filter/Exclusion: Exclude traffic originating from the CI/CD server IP or specific job names, e.g., src_ip = "10.0.0.5" OR job_name = "build-notification".

• Scenario: A security tool like OSSEC or Snort is configured to send alerts via SMS to the on-call team during a security incident.
  Filter/Exclusion: Exclude traffic from the security tool’s alerting system, e.g., src_ip = "10.10.10.10" OR alert_type = "security_incident".

• Scenario: A backup job (e.g., using Veeam or Commvault) sends a status update via SMS to the operations team.
  Filter/Exclusion: Exclude traffic associated with backup jobs, e.g., job_name = "daily_backup" OR src_ip = "10.20.30.40".

• Scenario: A mobile device management (MDM) tool like Microsoft Intune sends SMS-based enrollment or configuration updates to company-owned devices.
  Filter/Exclusion: Exclude traffic from the MDM server IP or specific device enrollment endpoints, e.g., `src_ip = “10.30.40.50