Brand impersonation: Meta/Facebook
Impersonation of Meta or Meta's subsidiary Facebook.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Meta/Facebook"
2description: |
3 Impersonation of Meta or Meta's subsidiary Facebook.
4references:
5 - "https://www.techrepublic.com/article/google-and-amazon-most-impersonated-brands-in-phishing-attacks/"
6type: "rule"
7severity: "low"
8source: |
9 type.inbound
10 and (
11 (
12 strings.ilike(sender.display_name,
13 '*facebook ads*',
14 '*facebook business*',
15 '*meta support*',
16 '*meta for business*',
17 '*meta policy*'
18 )
19 or strings.ilevenshtein(sender.display_name, 'facebook ads') <= 2
20 or strings.ilevenshtein(sender.display_name, 'facebook business') <= 2
21 or (
22 strings.ilevenshtein(sender.display_name, 'meta support') <= 2
23 // negation for Zeta Support
24 and not (sender.display_name == "Zeta Support" and sender.email.domain.root_domain == 'zetaglobal.net')
25 )
26 or strings.ilike(sender.email.domain.domain, '*facebook*')
27 )
28 or (
29 (
30 (
31 regex.icontains(sender.display_name,
32 '\bfacebook\b',
33 '\bmeta\b',
34 '\bmeta.*support\b'
35 )
36 // negate metageek.com
37 and not (
38 strings.icontains(sender.display_name, 'MetaGeek Support')
39 and sender.email.domain.root_domain == "metageek.com"
40 )
41 )
42 or strings.ilevenshtein(sender.display_name, 'facebook') <= 2
43 )
44 and (
45 any(ml.logo_detect(beta.message_screenshot()).brands,
46 .name in ("Facebook", "Meta")
47 )
48 or any(ml.nlu_classifier(body.current_thread.text).intents,
49 .name in ("cred_theft", "callback_scam", "steal_pii")
50 and .confidence in ("high")
51 )
52 )
53 )
54 or
55 // or the body contains a facebook/meta footer with the address citing "community support"
56 (
57 regex.icontains(body.current_thread.text,
58 "Meta Platforms, Inc., Attention: Community Support, 1 (Facebook|Meta) Way, Menlo Park, CA 94025"
59 )
60 // and it contains a link to spawn a chat with facebook - this is not the way support operates
61 and (
62 any(body.links,
63 strings.ends_with(.href_url.domain.domain, 'facebook.com')
64 and strings.starts_with(.href_url.path, '/msg/')
65 )
66 or (
67 any(ml.nlu_classifier(body.current_thread.text).intents,
68 .name in ("cred_theft", "callback_scam", "steal_pii")
69 and .confidence in ("high")
70 )
71 )
72 )
73 )
74 )
75 and sender.email.domain.root_domain not in~ (
76 'facebook.com',
77 'facebookmail.com',
78 'eventsatfacebook.com',
79 'facebookenterprise.com',
80 'meta.com',
81 'metamail.com',
82 'medallia.com'
83 )
84 // negate metaenterprise links
85 and not any(headers.reply_to, .email.email == "noreply@facebookmail.com")
86 and (
87 (
88 profile.by_sender().prevalence != "common"
89 and not profile.by_sender().solicited
90 )
91 or (
92 profile.by_sender().any_messages_malicious_or_spam
93 and not profile.by_sender().any_false_positives
94 )
95 or sender.email.email == "noreply@salesforce.com"
96 // sent via Google group
97 or any(headers.hops, any(.fields, .name == "X-Google-Group-Id"))
98 )
99
100 // negate highly trusted sender domains unless they fail DMARC authentication
101 and (
102 (
103 sender.email.domain.root_domain in $high_trust_sender_root_domains
104 and not headers.auth_summary.dmarc.pass
105 )
106 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
107
108 // salesforce has been abused for meta phishing campaigns repeatedly
109 or sender.email.domain.root_domain == "salesforce.com"
110 )
111 and not profile.by_sender().any_false_positives
112
113attack_types:
114 - "Credential Phishing"
115tactics_and_techniques:
116 - "Impersonation: Brand"
117 - "Lookalike domain"
118 - "Social engineering"
119detection_methods:
120 - "Header analysis"
121 - "Sender analysis"
122id: "e38f1e3b-79be-5a59-b084-24a851daf6b9"