Brand impersonation: Meta/Facebook

calendar Apr 23, 2024  ยท
Share on: linkedin copy

Impersonation of Meta or Meta's subsidary Facebook.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Meta/Facebook"
 2description: |
 3    Impersonation of Meta or Meta's subsidary Facebook.
 4references:
 5  - "https://www.techrepublic.com/article/google-and-amazon-most-impersonated-brands-in-phishing-attacks/"
 6type: "rule"
 7severity: "low"
 8source: |
 9  type.inbound
10  and (
11    (
12      strings.ilike(sender.display_name,
13                    '*facebook ads*',
14                    '*facebook business*',
15                    '*meta support*',
16                    '*meta for business*',
17                    '*meta policy*'
18      )
19      or strings.ilevenshtein(sender.display_name, 'facebook ads') <= 2
20      or strings.ilevenshtein(sender.display_name, 'facebook business') <= 2
21      or strings.ilevenshtein(sender.display_name, 'meta support') <= 2
22      or strings.ilike(sender.email.domain.domain, '*facebook*')
23    )
24    or (
25      (
26        strings.ilike(sender.display_name, '*facebook*', '*meta*')
27        or strings.ilevenshtein(sender.display_name, 'facebook') <= 2
28      )
29      and (
30        any(ml.logo_detect(beta.message_screenshot()).brands,
31            .name in ("Facebook", "Meta")
32        )
33        or any(ml.nlu_classifier(body.current_thread.text).intents,
34               .name in ("cred_theft", "callback_scam", "steal_pii")
35               and .confidence in ("high")
36        )
37      )
38    )
39  )
40  and sender.email.domain.root_domain not in~ (
41    'facebook.com',
42    'facebookmail.com',
43    'eventsatfacebook.com',
44    'facebookenterprise.com',
45    'meta.com',
46    'metamail.com',
47    'medallia.com'
48  )
49  and (
50    (
51      profile.by_sender().prevalence != "common"
52      and not profile.by_sender().solicited
53    )
54    or (
55      profile.by_sender().any_messages_malicious_or_spam
56      and not profile.by_sender().any_false_positives
57    )
58    or sender.email.email == "noreply@salesforce.com"
59    // sent via Google group
60    or any(headers.hops, any(.fields, .name == "X-Google-Group-Id"))
61  )
62  
63  // negate highly trusted sender domains unless they fail DMARC authentication
64  and (
65    (
66      sender.email.domain.root_domain in $high_trust_sender_root_domains
67      and not headers.auth_summary.dmarc.pass
68    )
69    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
70  
71    // salesforce has been abused for meta phishing campaigns repeatedly 
72    or sender.email.domain.root_domain == "salesforce.com"
73  )
74  and not profile.by_sender().any_false_positives  
75
76attack_types:
77  - "Credential Phishing"
78tactics_and_techniques:
79  - "Impersonation: Brand"
80  - "Lookalike domain"
81  - "Social engineering"
82detection_methods:
83  - "Header analysis"
84  - "Sender analysis"
85id: "e38f1e3b-79be-5a59-b084-24a851daf6b9"
to-top