Brand impersonation: Meta/Facebook

calendar Dec 18, 2024  ยท
Share on: linkedin copy

Impersonation of Meta or Meta's subsidiary Facebook.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Meta/Facebook"
  2description: |
  3    Impersonation of Meta or Meta's subsidiary Facebook.
  4references:
  5  - "https://www.techrepublic.com/article/google-and-amazon-most-impersonated-brands-in-phishing-attacks/"
  6type: "rule"
  7severity: "low"
  8source: |
  9  type.inbound
 10  and (
 11    // sender display name is a strong enough indicator
 12    // that it can be used without any other impersonation logic
 13    (
 14      strings.ilike(sender.display_name,
 15                    '*facebook ads*',
 16                    '*facebook business*',
 17                    '*meta support*',
 18                    '*meta for business*',
 19                    '*meta policy*'
 20      )
 21      or strings.ilevenshtein(sender.display_name, 'facebook ads') <= 2
 22      or strings.ilevenshtein(sender.display_name, 'facebook business') <= 2
 23      or (
 24        strings.ilevenshtein(sender.display_name, 'meta support') <= 2
 25        // negation for Zeta Support
 26        and not (
 27          sender.display_name == "Zeta Support"
 28          and sender.email.domain.root_domain == 'zetaglobal.net'
 29        )
 30      )
 31      or strings.ilike(sender.email.domain.domain, '*facebook*')
 32    )
 33    // the use of these keywords (facebook, meta, meta.*support)
 34    // or the levenshtien distance to facebook
 35    // are less strong and thus need to be combined with logo detection or nlu 
 36    or (
 37      (
 38        (
 39          regex.icontains(sender.display_name,
 40                          '\bfacebook\b',
 41                          '\bmeta\b',
 42                          '\bmeta.*support\b'
 43          )
 44          // negate metageek.com
 45          and not (
 46            strings.icontains(sender.display_name, 'MetaGeek Support')
 47            and sender.email.domain.root_domain == "metageek.com"
 48          )
 49        )
 50        or strings.ilevenshtein(sender.display_name, 'facebook') <= 2
 51      )
 52      and (
 53        any(ml.logo_detect(beta.message_screenshot()).brands,
 54            .name in ("Facebook", "Meta")
 55        )
 56        or any(ml.nlu_classifier(body.current_thread.text).intents,
 57               .name in ("cred_theft", "callback_scam", "steal_pii")
 58               and .confidence in ("high")
 59        )
 60      )
 61    )
 62    // salesforce sender combined with logo detection and nlu is enough
 63    or (
 64      sender.email.domain.root_domain == "salesforce.com"
 65      and any(ml.logo_detect(beta.message_screenshot()).brands,
 66              .name in ("Facebook", "Meta")
 67      )
 68      and any(ml.nlu_classifier(body.current_thread.text).intents,
 69              .name in ("cred_theft", "callback_scam", "steal_pii")
 70              and .confidence in ("high")
 71      )
 72    )
 73    or 
 74    // or the body contains a facebook/meta footer with the address citing "community support" 
 75    (
 76      regex.icontains(body.current_thread.text,
 77                      "Meta Platforms, Inc., Attention: Community Support, 1 (Facebook|Meta) Way, Menlo Park, CA 94025"
 78      )
 79      // and it contains a link to spawn a chat with facebook - this is not the way support operates
 80      and (
 81        any(body.links,
 82            strings.ends_with(.href_url.domain.domain, 'facebook.com')
 83            and strings.starts_with(.href_url.path, '/msg/')
 84        )
 85        or (
 86          any(ml.nlu_classifier(body.current_thread.text).intents,
 87              .name in ("cred_theft", "callback_scam", "steal_pii")
 88              and .confidence in ("high")
 89          )
 90        )
 91      )
 92    )
 93  )
 94  and sender.email.domain.root_domain not in~ (
 95    'facebook.com',
 96    'facebookmail.com',
 97    'eventsatfacebook.com',
 98    'facebookenterprise.com',
 99    'meta.com',
100    'metamail.com',
101    'medallia.com'
102  )
103  // negate metaenterprise links
104  and not any(headers.reply_to, .email.email == "noreply@facebookmail.com")
105  and (
106    (
107      profile.by_sender().prevalence != "common"
108      and not profile.by_sender().solicited
109    )
110    or (
111      profile.by_sender().any_messages_malicious_or_spam
112      and not profile.by_sender().any_false_positives
113    )
114    // if saleforce is being abused, sender profiles aren't very useful
115    or sender.email.email in ("noreply@salesforce.com", "support@salesforce.com")
116    // sent via Google group
117    or any(headers.hops, any(.fields, .name == "X-Google-Group-Id"))
118  )
119  
120  // negate highly trusted sender domains unless they fail DMARC authentication
121  and (
122    (
123      sender.email.domain.root_domain in $high_trust_sender_root_domains
124      and not headers.auth_summary.dmarc.pass
125    )
126    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
127  
128    // salesforce has been abused for meta phishing campaigns repeatedly 
129    or sender.email.domain.root_domain == "salesforce.com"
130  )
131  and not profile.by_sender().any_false_positives  
132
133attack_types:
134  - "Credential Phishing"
135tactics_and_techniques:
136  - "Impersonation: Brand"
137  - "Lookalike domain"
138  - "Social engineering"
139detection_methods:
140  - "Header analysis"
141  - "Sender analysis"
142id: "e38f1e3b-79be-5a59-b084-24a851daf6b9"
to-top