Brand impersonation: Facebook

Aug 21, 2023 ·
Impersonation of Facebook.
Sublime rule (View on GitHub)

 1name: "Brand impersonation: Facebook"
 2description: |
 3    Impersonation of Facebook.
 4references:
 5  - "https://www.techrepublic.com/article/google-and-amazon-most-impersonated-brands-in-phishing-attacks/"
 6type: "rule"
 7severity: "low"
 8source: |
 9  type.inbound
10  and (
11    strings.ilike(sender.display_name, '*facebook ads*', '*facebook business*')
12    or strings.ilevenshtein(sender.display_name, 'facebook ads') <= 2
13    or strings.ilevenshtein(sender.display_name, 'facebook business') <= 2
14    or strings.ilike(sender.email.domain.domain, '*facebook*')
15  )
16  and sender.email.domain.root_domain not in~ (
17    'facebook.com',
18    'facebookmail.com',
19    'eventsatfacebook.com',
20    'facebookenterprise.com'
21  )
22  and sender.email.email not in $recipient_emails  
23attack_types:
24  - "Credential Phishing"
25tactics_and_techniques:
26  - "Impersonation: Brand"
27  - "Lookalike domain"
28  - "Social engineering"
29detection_methods:
30  - "Header analysis"
31  - "Sender analysis"
32id: "e38f1e3b-79be-5a59-b084-24a851daf6b9"