Brand impersonation: Meta/Facebook
Impersonation of Meta or Meta's subsidiary Facebook.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Meta/Facebook"
2description: |
3 Impersonation of Meta or Meta's subsidiary Facebook.
4references:
5 - "https://www.techrepublic.com/article/google-and-amazon-most-impersonated-brands-in-phishing-attacks/"
6type: "rule"
7severity: "low"
8source: |
9 type.inbound
10 and (
11 (
12 strings.ilike(sender.display_name,
13 '*facebook ads*',
14 '*facebook business*',
15 '*meta support*',
16 '*meta for business*',
17 '*meta policy*'
18 )
19 or strings.ilevenshtein(sender.display_name, 'facebook ads') <= 2
20 or strings.ilevenshtein(sender.display_name, 'facebook business') <= 2
21 or strings.ilevenshtein(sender.display_name, 'meta support') <= 2
22 or strings.ilike(sender.email.domain.domain, '*facebook*')
23 )
24 or (
25 (
26 regex.icontains(sender.display_name, '\bfacebook\b', '\bmeta\b', '\bmeta.*support\b')
27 or strings.ilevenshtein(sender.display_name, 'facebook') <= 2
28 )
29 and (
30 any(ml.logo_detect(beta.message_screenshot()).brands,
31 .name in ("Facebook", "Meta")
32 )
33 or any(ml.nlu_classifier(body.current_thread.text).intents,
34 .name in ("cred_theft", "callback_scam", "steal_pii")
35 and .confidence in ("high")
36 )
37 )
38 )
39 or
40 // or the body contains a facebook/meta footer with the address citing "community support"
41 (
42 strings.icontains(body.current_thread.text,
43 "Meta Platforms, Inc., Attention: Community Support, 1 Facebook Way, Menlo Park, CA 94025"
44 )
45 // and it contains a link to spawn a chat with facebook - this is not the way support operates
46 and any(body.links,
47 strings.ends_with(.href_url.domain.domain, 'facebook.com')
48 and strings.starts_with(.href_url.path, '/msg/')
49 )
50 )
51 )
52 and sender.email.domain.root_domain not in~ (
53 'facebook.com',
54 'facebookmail.com',
55 'eventsatfacebook.com',
56 'facebookenterprise.com',
57 'meta.com',
58 'metamail.com',
59 'medallia.com'
60 )
61 // negate metaenterprise links
62 and not any(headers.reply_to, .email.email == "noreply@facebookmail.com")
63 and (
64 (
65 profile.by_sender().prevalence != "common"
66 and not profile.by_sender().solicited
67 )
68 or (
69 profile.by_sender().any_messages_malicious_or_spam
70 and not profile.by_sender().any_false_positives
71 )
72 or sender.email.email == "noreply@salesforce.com"
73 // sent via Google group
74 or any(headers.hops, any(.fields, .name == "X-Google-Group-Id"))
75 )
76
77 // negate highly trusted sender domains unless they fail DMARC authentication
78 and (
79 (
80 sender.email.domain.root_domain in $high_trust_sender_root_domains
81 and not headers.auth_summary.dmarc.pass
82 )
83 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
84
85 // salesforce has been abused for meta phishing campaigns repeatedly
86 or sender.email.domain.root_domain == "salesforce.com"
87 )
88 and not profile.by_sender().any_false_positives
89
90attack_types:
91 - "Credential Phishing"
92tactics_and_techniques:
93 - "Impersonation: Brand"
94 - "Lookalike domain"
95 - "Social engineering"
96detection_methods:
97 - "Header analysis"
98 - "Sender analysis"
99id: "e38f1e3b-79be-5a59-b084-24a851daf6b9"