Brand impersonation: Meta/Facebook

calendar Jun 24, 2024  ยท
Share on: linkedin copy

Impersonation of Meta or Meta's subsidiary Facebook.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Meta/Facebook"
 2description: |
 3    Impersonation of Meta or Meta's subsidiary Facebook.
 4references:
 5  - "https://www.techrepublic.com/article/google-and-amazon-most-impersonated-brands-in-phishing-attacks/"
 6type: "rule"
 7severity: "low"
 8source: |
 9  type.inbound
10  and (
11    (
12      strings.ilike(sender.display_name,
13                    '*facebook ads*',
14                    '*facebook business*',
15                    '*meta support*',
16                    '*meta for business*',
17                    '*meta policy*'
18      )
19      or strings.ilevenshtein(sender.display_name, 'facebook ads') <= 2
20      or strings.ilevenshtein(sender.display_name, 'facebook business') <= 2
21      or strings.ilevenshtein(sender.display_name, 'meta support') <= 2
22      or strings.ilike(sender.email.domain.domain, '*facebook*')
23    )
24    or (
25      (
26        regex.icontains(sender.display_name, '\bfacebook\b', '\bmeta\b', '\bmeta.*support\b')
27        or strings.ilevenshtein(sender.display_name, 'facebook') <= 2
28      )
29      and (
30        any(ml.logo_detect(beta.message_screenshot()).brands,
31            .name in ("Facebook", "Meta")
32        )
33        or any(ml.nlu_classifier(body.current_thread.text).intents,
34               .name in ("cred_theft", "callback_scam", "steal_pii")
35               and .confidence in ("high")
36        )
37      )
38    )
39    or 
40    // or the body contains a facebook/meta footer with the address citing "community support" 
41    (
42      strings.icontains(body.current_thread.text,
43                        "Meta Platforms, Inc., Attention: Community Support, 1 Facebook Way, Menlo Park, CA 94025"
44      )
45      // and it contains a link to spawn a chat with facebook - this is not the way support operates
46      and any(body.links,
47              strings.ends_with(.href_url.domain.domain, 'facebook.com')
48              and strings.starts_with(.href_url.path, '/msg/')
49      )
50    )
51  )
52  and sender.email.domain.root_domain not in~ (
53    'facebook.com',
54    'facebookmail.com',
55    'eventsatfacebook.com',
56    'facebookenterprise.com',
57    'meta.com',
58    'metamail.com',
59    'medallia.com'
60  )
61  // negate metaenterprise links
62  and not any(headers.reply_to, .email.email == "noreply@facebookmail.com")
63  and (
64    (
65      profile.by_sender().prevalence != "common"
66      and not profile.by_sender().solicited
67    )
68    or (
69      profile.by_sender().any_messages_malicious_or_spam
70      and not profile.by_sender().any_false_positives
71    )
72    or sender.email.email == "noreply@salesforce.com"
73    // sent via Google group
74    or any(headers.hops, any(.fields, .name == "X-Google-Group-Id"))
75  )
76  
77  // negate highly trusted sender domains unless they fail DMARC authentication
78  and (
79    (
80      sender.email.domain.root_domain in $high_trust_sender_root_domains
81      and not headers.auth_summary.dmarc.pass
82    )
83    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
84  
85    // salesforce has been abused for meta phishing campaigns repeatedly 
86    or sender.email.domain.root_domain == "salesforce.com"
87  )
88  and not profile.by_sender().any_false_positives  
89
90attack_types:
91  - "Credential Phishing"
92tactics_and_techniques:
93  - "Impersonation: Brand"
94  - "Lookalike domain"
95  - "Social engineering"
96detection_methods:
97  - "Header analysis"
98  - "Sender analysis"
99id: "e38f1e3b-79be-5a59-b084-24a851daf6b9"
to-top