Brand impersonation: Meta/Facebook

Impersonation of Meta or Meta's subsidary Facebook.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Meta/Facebook"
 2description: |
 3    Impersonation of Meta or Meta's subsidary Facebook.
 4references:
 5  - "https://www.techrepublic.com/article/google-and-amazon-most-impersonated-brands-in-phishing-attacks/"
 6type: "rule"
 7severity: "low"
 8source: |
 9  type.inbound
10  and (
11    (
12      strings.ilike(sender.display_name,
13                    '*facebook ads*',
14                    '*facebook business*',
15                    '*meta support*',
16                    '*meta for business*',
17                    '*meta policy*'
18      )
19      or strings.ilevenshtein(sender.display_name, 'facebook ads') <= 2
20      or strings.ilevenshtein(sender.display_name, 'facebook business') <= 2
21      or strings.ilevenshtein(sender.display_name, 'meta support') <= 2
22      or strings.ilike(sender.email.domain.domain, '*facebook*')
23    )
24    or (
25      (
26        strings.ilike(sender.display_name, '*facebook*', '*meta*')
27        or strings.ilevenshtein(sender.display_name, 'facebook') <= 2
28      )
29      and (
30        any(ml.logo_detect(beta.message_screenshot()).brands, .name in ("Facebook", "Meta"))
31        or any(ml.nlu_classifier(body.current_thread.text).intents,
32               .name in ("cred_theft", "callback_scam", "steal_pii")
33               and .confidence in ("high")
34        )
35      )
36    )
37  )
38  and sender.email.domain.root_domain not in~ (
39    'facebook.com',
40    'facebookmail.com',
41    'eventsatfacebook.com',
42    'facebookenterprise.com',
43    'meta.com',
44    'metamail.com',
45    'medallia.com'
46  )
47  and (
48    (
49      profile.by_sender().prevalence in ("new", "outlier")
50      and not profile.by_sender().solicited
51    )
52    or (
53      profile.by_sender().any_messages_malicious_or_spam
54      and not profile.by_sender().any_false_positives
55    )
56    or sender.email.email == "noreply@salesforce.com"
57    // sent via Google group
58    or any(headers.hops, any(.fields, .name == "X-Google-Group-Id"))
59  )
60  
61  // negate highly trusted sender domains unless they fail DMARC authentication
62  and (
63    (
64      sender.email.domain.root_domain in $high_trust_sender_root_domains
65      and (
66        any(distinct(headers.hops, .authentication_results.dmarc is not null),
67            strings.ilike(.authentication_results.dmarc, "*fail")
68        )
69      )
70    )
71    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
72    
73      // salesforce has been abused for meta phishing campaigns repeatedly 
74    or sender.email.domain.root_domain == "salesforce.com"
75  )
76  and not profile.by_sender().any_false_positives  
77attack_types:
78  - "Credential Phishing"
79tactics_and_techniques:
80  - "Impersonation: Brand"
81  - "Lookalike domain"
82  - "Social engineering"
83detection_methods:
84  - "Header analysis"
85  - "Sender analysis"
86id: "e38f1e3b-79be-5a59-b084-24a851daf6b9"
to-top