Brand impersonation: Meta/Facebook
Impersonation of Meta or Meta's subsidary Facebook.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Meta/Facebook"
2description: |
3 Impersonation of Meta or Meta's subsidary Facebook.
4references:
5 - "https://www.techrepublic.com/article/google-and-amazon-most-impersonated-brands-in-phishing-attacks/"
6type: "rule"
7severity: "low"
8source: |
9 type.inbound
10 and (
11 (
12 strings.ilike(sender.display_name,
13 '*facebook ads*',
14 '*facebook business*',
15 '*meta support*',
16 '*meta for business*',
17 '*meta policy*'
18 )
19 or strings.ilevenshtein(sender.display_name, 'facebook ads') <= 2
20 or strings.ilevenshtein(sender.display_name, 'facebook business') <= 2
21 or strings.ilevenshtein(sender.display_name, 'meta support') <= 2
22 or strings.ilike(sender.email.domain.domain, '*facebook*')
23 )
24 or (
25 (
26 strings.ilike(sender.display_name, '*facebook*', '*meta*')
27 or strings.ilevenshtein(sender.display_name, 'facebook') <= 2
28 )
29 and (
30 any(ml.logo_detect(beta.message_screenshot()).brands,
31 .name in ("Facebook", "Meta")
32 )
33 or any(ml.nlu_classifier(body.current_thread.text).intents,
34 .name in ("cred_theft", "callback_scam", "steal_pii")
35 and .confidence in ("high")
36 )
37 )
38 )
39 )
40 and sender.email.domain.root_domain not in~ (
41 'facebook.com',
42 'facebookmail.com',
43 'eventsatfacebook.com',
44 'facebookenterprise.com',
45 'meta.com',
46 'metamail.com',
47 'medallia.com'
48 )
49 and (
50 (
51 profile.by_sender().prevalence != "common"
52 and not profile.by_sender().solicited
53 )
54 or (
55 profile.by_sender().any_messages_malicious_or_spam
56 and not profile.by_sender().any_false_positives
57 )
58 or sender.email.email == "noreply@salesforce.com"
59 // sent via Google group
60 or any(headers.hops, any(.fields, .name == "X-Google-Group-Id"))
61 )
62
63 // negate highly trusted sender domains unless they fail DMARC authentication
64 and (
65 (
66 sender.email.domain.root_domain in $high_trust_sender_root_domains
67 and not headers.auth_summary.dmarc.pass
68 )
69 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
70
71 // salesforce has been abused for meta phishing campaigns repeatedly
72 or sender.email.domain.root_domain == "salesforce.com"
73 )
74 and not profile.by_sender().any_false_positives
75
76attack_types:
77 - "Credential Phishing"
78tactics_and_techniques:
79 - "Impersonation: Brand"
80 - "Lookalike domain"
81 - "Social engineering"
82detection_methods:
83 - "Header analysis"
84 - "Sender analysis"
85id: "e38f1e3b-79be-5a59-b084-24a851daf6b9"