Brand impersonation: Meta and subsidiaries
Impersonation of Meta or Meta's subsidiaries Facebook and Instagram.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Meta and subsidiaries"
2description: |
3 Impersonation of Meta or Meta's subsidiaries Facebook and Instagram.
4references:
5 - "https://www.techrepublic.com/article/google-and-amazon-most-impersonated-brands-in-phishing-attacks/"
6type: "rule"
7severity: "low"
8source: |
9 type.inbound
10 and (
11 // sender display name is a strong enough indicator
12 // that it can be used without any other impersonation logic
13 (
14 regex.icontains(sender.display_name,
15
16 // this regex looks for a commonly abused phrase starting with 'meta', potentially containing a version of the word 'verified', followed by phrases that have been observed in campaigns.
17 '\bm.?e.?t.?a\b.*(?:verif(?:y|i(?:cado|ed)))?.*\b(?:recruiting|certification|trust|safety|badge|alert|advertising|compliance|copyright|enforcement|intellectual|rights|account|help|support|service|business|policy|Vérifié|certify|inc|help[ -]?desk)\b',
18
19 // this regex also looks for a commonly abused phrase starting with 'meta', followed by a phrase, then 'team' with no separating spaces.
20 '\bm.?e.?t.?a(?:recruiting|pro|certification|trust|safety|badge|alert|advertising|compliance|copyright|enforcement|intellectual|rights|service|account|help|support|business|policy)team',
21
22 // this regex is similar to the first in this section, but starts with facebook instead of meta
23 '\bf.?a.?c.?e.?b.?o.?o.?k\b.*(?:verif(?:y|i(?:cado|ed)))?.*\b(?:recruiting|ads[ -]?team|certification|trust|safety|badge|alert|advertising|compliance|copyright|enforcement|intellectual|rights|service|account|help|support|business|policy|Vérifié|certify|inc|help[ -]?desk)\b',
24 '^[a-z]+ from \bmeta$',
25 'page ?ads ?support',
26 'Instagram\s*(?:Not|Policies|Report|Helpdesk|Support)',
27 '\bMeta & Coursera',
28 'Compliance & Security',
29 'social.?media.?\b(?:master|expert|pro|guru)\b',
30 '\bmeta\b.?(?:social|skill|ads).?(?:star|set|expert)'
31 )
32 or (
33 regex.icontains(sender.display_name,
34 "f\u{200a}?a\u{200a}?c\u{200a}?e\u{200a}?b\u{200a}?o\u{200a}?o\u{200a}?k"
35 )
36 and not strings.icontains(sender.display_name, 'facebook')
37 )
38 or strings.contains(sender.display_name, "\u{24C2}")
39 or strings.ilevenshtein(sender.display_name, 'facebook ads') <= 2
40 or strings.ilevenshtein(sender.display_name, 'facebook business') <= 2
41 or strings.ilike(sender.email.domain.domain, '*facebook*')
42 or strings.ilike(sender.email.local_part,
43 "*instagramlive*",
44 "*facebooksupport*"
45 )
46 or strings.icontains(sender.email.domain.subdomain, 'meta-')
47 )
48 // the use of these keywords (facebook, instagram)
49 // or the levenshtein distance to facebook
50 // are less strong and thus need to be combined with logo detection or nlu
51 or (
52 (
53 regex.icontains(sender.display_name,
54 '\bf[\p{Mn}\p{Cf}]*a[\p{Mn}\p{Cf}]*c[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*b[\p{Mn}\p{Cf}]*o[\p{Mn}\p{Cf}]*o[\p{Mn}\p{Cf}]*k[\p{Mn}\p{Cf}]*\b',
55 '\binstagr(am)?\b',
56 '\bm[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*t[\p{Mn}\p{Cf}]*a\b'
57 )
58 or strings.ilevenshtein(sender.display_name, 'facebook') <= 2
59 or sender.email.email == 'noreply@appsheet.com'
60 )
61 and 2 of (
62 any(ml.logo_detect(file.message_screenshot()).brands,
63 .name in ("Facebook", "Meta", "Instagram", "Threads")
64 ),
65 any(ml.nlu_classifier(body.current_thread.text).intents,
66 .name in ("cred_theft", "callback_scam", "steal_pii")
67 and .confidence in ("medium", "high")
68 ),
69 (
70 length(body.current_thread.text) < 2000
71 and regex.icontains(body.current_thread.text, "(?:violation|infringe)")
72 ),
73 regex.icontains(subject.base,
74 '\b(?:recruiting|permanently|locked|certification|trust|safety|badge|alert|advertising|compliance|copyright|enforcement|intellectual|rights|account|help|support|business|policy|verif(?:y|i(?:cado|ed))|Vérifié|Trademark|Misuse|Review|Violation|Warning|Restriction|Inappropriate|service|Content|multiple reports)\b'
75 ),
76 any(body.links,
77 .href_url.domain.root_domain in $self_service_creation_platform_domains
78 or .href_url.domain.root_domain in $free_file_hosts
79 or .href_url.domain.root_domain in $free_subdomain_hosts
80 or .href_url.domain.root_domain in $url_shorteners
81 ),
82 sender.email.domain.root_domain in $free_email_providers
83 )
84 )
85 // salesforce sender combined with logo detection and nlu is enough
86 or (
87 sender.email.domain.root_domain == "salesforce.com"
88 and any(ml.logo_detect(file.message_screenshot()).brands,
89 .name in ("Facebook", "Meta", "Instagram", "Threads")
90 )
91 and any(ml.nlu_classifier(body.current_thread.text).intents,
92 .name in ("cred_theft", "callback_scam", "steal_pii")
93 and .confidence in ("medium", "high")
94 )
95 )
96 or
97 // or the body contains a facebook/meta footer with the address citing "community support"
98 (
99 (
100 regex.icontains(body.current_thread.text,
101 '(?:1\s+(?:Facebook|Hacker|Meta)?\s*Way|1601\s+Willow\s+Rd?).*Menlo\s+Park.*CA.*94025'
102 )
103 or (
104 regex.icontains(body.current_thread.text,
105 '(?:Security Team © Meta|Meta Support Team)'
106 )
107 )
108 )
109 // and it contains a link to spawn a chat with facebook - this is not the way support operates
110 and (
111 any(body.links,
112 strings.ends_with(.href_url.domain.domain, 'facebook.com')
113 and strings.starts_with(.href_url.path, '/msg/')
114 )
115 or (
116 any(ml.nlu_classifier(body.current_thread.text).intents,
117 .name in ("cred_theft", "callback_scam", "steal_pii")
118 and .confidence in ("high")
119 )
120 )
121 or any(recipients.to,
122 .email.domain.valid
123 and any(body.links,
124 strings.icontains(.href_url.url, ..email.email)
125 or any(beta.scan_base64(.href_url.url,
126 format="url",
127 ignore_padding=true
128 ),
129 strings.icontains(., ...email.email)
130 )
131 or any(beta.scan_base64(.href_url.fragment,
132 ignore_padding=true
133 ),
134 strings.icontains(., ...email.email)
135 )
136 )
137 )
138 )
139 )
140 // we've seen advertising "advice/recommendations"
141 or (
142 all(ml.nlu_classifier(body.current_thread.text).topics,
143 .name in ("Advertising and Promotions", "Reminders and Notifications")
144 )
145 // Meta mention
146 and (
147 any(ml.nlu_classifier(body.current_thread.text).entities,
148 .name == "org" and strings.icontains(.text, 'Community Guidelines')
149 )
150 or regex.icontains(body.current_thread.text,
151 '(1\s+(Facebook|Hacker|\bMeta\b)?\s*Way|1601\s+Willow\s+Rd?).*Menlo\s+Park.*CA.*94025'
152 )
153 )
154 and any(ml.nlu_classifier(body.current_thread.text).entities,
155 .name == "urgency"
156 )
157 )
158 or (
159 strings.icontains(body.current_thread.text, "Meta Professional Certificate")
160 and strings.icontains(body.current_thread.text, "Meta & Coursera Team")
161 // Add link validation
162 and any(body.links,
163 strings.icontains(.display_text, "coursera")
164 and .href_url.domain.root_domain != "coursera.org"
165 )
166 )
167 or 2 of (
168 strings.icontains(body.current_thread.text, 'Meta '),
169 strings.icontains(body.current_thread.text, '1602 Willow Road'),
170 strings.icontains(body.current_thread.text, 'Menlo Park, CA 91024'),
171 )
172 )
173 and sender.email.domain.root_domain not in~ (
174 'facebook.com',
175 'facebookmail.com',
176 'eventsatfacebook.com',
177 'facebookenterprise.com',
178 'meta.com',
179 'metamail.com',
180 'instagram.com',
181 'medallia.com',
182 'fbworkmail.com',
183 'workplace.com',
184 'capterra.com', // they mention "Community Guidelines"
185 'facebookblueprint.com',
186 'metaenterprisemail.com',
187 'pigfacebookstore.com.au', // unrelated domain but hitting on facebook
188 'metacompliance.com',
189 'metaprop.com', // unrelated domain but hitting on meta pro
190 'oakley.com', // meta intelligence glasses
191 'facebookuserprivacysettlement.com', // fb settlement website
192 'perceptyx.com', // ai employee engagement
193 'unroll.me', // unroll contains instagram logo
194 'har.com' // facebook ads management
195 )
196 // negate metaenterprise links
197 and not any(headers.reply_to, .email.email == "noreply@facebookmail.com")
198
199 // meta wiki renamer
200 and not (
201 sender.display_name == 'Meta-Wiki'
202 and sender.email.domain.root_domain == 'wikimedia.org'
203 )
204
205 // we dont want emails where all the links go to meta domains
206 and not (
207 (
208 length(body.links) > 1
209 and all(body.links,
210 .href_url.domain.root_domain in (
211 'facebook.com',
212 'instagram.com',
213 'meta.com'
214 )
215 and not strings.istarts_with(.href_url.path, '/share/')
216 )
217 )
218 // too many links
219 or length(body.links) > 20
220 )
221
222 // no previous threads
223 and length(body.previous_threads) == 0
224
225 // negate highly trusted sender domains unless they fail DMARC authentication
226 and (
227 (
228 sender.email.domain.root_domain in $high_trust_sender_root_domains
229 and not headers.auth_summary.dmarc.pass
230 )
231 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
232
233 // salesforce has been abused for meta phishing campaigns repeatedly
234 or sender.email.domain.root_domain == "salesforce.com"
235 )
236attack_types:
237 - "Credential Phishing"
238tactics_and_techniques:
239 - "Impersonation: Brand"
240 - "Lookalike domain"
241 - "Social engineering"
242detection_methods:
243 - "Header analysis"
244 - "Sender analysis"
245id: "e38f1e3b-79be-5a59-b084-24a851daf6b9"