Brand impersonation: Meta and subsidiaries

Impersonation of Meta or Meta's subsidiaries Facebook and Instagram.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Meta and subsidiaries"
  2description: |
  3    Impersonation of Meta or Meta's subsidiaries Facebook and Instagram.
  4references:
  5  - "https://www.techrepublic.com/article/google-and-amazon-most-impersonated-brands-in-phishing-attacks/"
  6type: "rule"
  7severity: "low"
  8source: |
  9  type.inbound
 10  and (
 11    // sender display name is a strong enough indicator
 12    // that it can be used without any other impersonation logic
 13    (
 14      regex.icontains(sender.display_name,
 15                      'facebook ?ads',
 16                      'facebook ?business',
 17                      'meta ?account',
 18                      'meta ?help',
 19                      'meta ?support',
 20                      'meta ?business',
 21                      'meta ?for ?business',
 22                      'meta ?policy',
 23                      'page ?ads ?support',
 24                      'Instagram ?Not',
 25                      'Instagram ?Policies',
 26                      'Instagram ?Report',
 27                      'Instagram ?Helpdesk',
 28                      'Instagram ?Support',
 29                      'Ads ?Team',
 30                      'Meta & Coursera',
 31                      'Compliance & Security',
 32                      'meta.*inc'
 33      )
 34      or strings.ilevenshtein(sender.display_name, 'facebook ads') <= 2
 35      or strings.ilevenshtein(sender.display_name, 'facebook business') <= 2
 36      or (
 37        strings.levenshtein(sender.display_name, 'Meta Support') <= 2
 38        // negation for Zeta Support
 39        and not (
 40          sender.display_name == "Zeta Support"
 41          and sender.email.domain.root_domain == 'zetaglobal.net'
 42        )
 43        and not (
 44          sender.display_name == "Veza Support"
 45          and sender.email.domain.root_domain == 'veza.com'
 46          and headers.auth_summary.dmarc.pass
 47        )
 48      )
 49      or strings.ilike(sender.email.domain.domain, '*facebook*')
 50      or strings.ilike(sender.email.local_part,
 51                       "*instagramlive*",
 52                       "*facebooksupport*"
 53      )
 54    )
 55    // the use of these keywords (facebook, meta, meta.*support)
 56    // or the levenshtein distance to facebook
 57    // are less strong and thus need to be combined with logo detection or nlu 
 58    or (
 59      (
 60        (
 61          regex.icontains(sender.display_name,
 62                          '\bf[\p{Mn}\p{Cf}]*a[\p{Mn}\p{Cf}]*c[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*b[\p{Mn}\p{Cf}]*o[\p{Mn}\p{Cf}]*o[\p{Mn}\p{Cf}]*k[\p{Mn}\p{Cf}]*\b',
 63                          '\bm[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*t[\p{Mn}\p{Cf}]*a[\p{Mn}\p{Cf}]*\b',
 64                          '\bm[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*t[\p{Mn}\p{Cf}]*a[\p{Mn}\p{Cf}]*.*support',
 65                          '\binstagr(am)?\b'
 66          )
 67          // negate metageek.com
 68          and not (
 69            strings.icontains(sender.display_name, 'MetaGeek Support')
 70            and sender.email.domain.root_domain == "metageek.com"
 71          )
 72        )
 73        or strings.ilevenshtein(sender.display_name, 'facebook') <= 2
 74      )
 75      and (
 76        any(ml.logo_detect(file.message_screenshot()).brands,
 77            .name in ("Facebook", "Meta", "Instagram", "Threads")
 78        )
 79        or any(ml.nlu_classifier(body.current_thread.text).intents,
 80               .name in ("cred_theft", "callback_scam", "steal_pii")
 81               and .confidence in ("medium", "high")
 82        )
 83        or (
 84          length(body.current_thread.text) < 2000
 85          and regex.icontains(body.current_thread.text,
 86                              "(?:violation|infringe|copyright)"
 87          )
 88        )
 89        or any(body.links, .href_url.domain.root_domain == "rebrand.ly")
 90      )
 91    )
 92    // salesforce sender combined with logo detection and nlu is enough
 93    or (
 94      sender.email.domain.root_domain == "salesforce.com"
 95      and any(ml.logo_detect(file.message_screenshot()).brands,
 96              .name in ("Facebook", "Meta", "Instagram", "Threads")
 97      )
 98      and any(ml.nlu_classifier(body.current_thread.text).intents,
 99              .name in ("cred_theft", "callback_scam", "steal_pii")
100              and .confidence in ("medium", "high")
101      )
102    )
103    or 
104    // or the body contains a facebook/meta footer with the address citing "community support" 
105    (
106      regex.icontains(body.current_thread.text,
107                      '(1\s+(Facebook|Meta)?\s*Way|1601\s+Willow\s+Rd?).*Menlo\s+Park.*CA.*94025'
108      )
109      // and it contains a link to spawn a chat with facebook - this is not the way support operates
110      and (
111        any(body.links,
112            strings.ends_with(.href_url.domain.domain, 'facebook.com')
113            and strings.starts_with(.href_url.path, '/msg/')
114        )
115        or (
116          any(ml.nlu_classifier(body.current_thread.text).intents,
117              .name in ("cred_theft", "callback_scam", "steal_pii")
118              and .confidence in ("high")
119          )
120        )
121        or any(recipients.to,
122               .email.domain.valid
123               and any(body.links,
124                       strings.icontains(.href_url.url, ..email.email)
125                       or any(beta.scan_base64(.href_url.url,
126                                               format="url",
127                                               ignore_padding=true
128                              ),
129                              strings.icontains(., ...email.email)
130                       )
131                       or any(beta.scan_base64(.href_url.fragment,
132                                               ignore_padding=true
133                              ),
134                              strings.icontains(., ...email.email)
135                       )
136               )
137        )
138      )
139    )
140    // we've seen advertising "advice/recommendations"
141    or (
142      all(beta.ml_topic(body.current_thread.text).topics,
143          .name in ("Advertising and Promotions", "Reminders and Notifications")
144      )
145      // Meta mention
146      and (
147        any(ml.nlu_classifier(body.current_thread.text).entities,
148            .name == "org" and strings.icontains(.text, 'Community Guidelines')
149        )
150        or regex.icontains(body.current_thread.text,
151                           '(1\s+(Facebook|Meta)?\s*Way|1601\s+Willow\s+Rd?).*Menlo\s+Park.*CA.*94025'
152        )
153      )
154      and any(ml.nlu_classifier(body.current_thread.text).entities,
155              .name == "urgency"
156      )
157    )
158    or (
159      strings.icontains(body.current_thread.text, "Meta Professional Certificate")
160      and strings.icontains(body.current_thread.text, "Meta & Coursera Team")
161    )
162  )
163  and sender.email.domain.root_domain not in~ (
164    'facebook.com',
165    'facebookmail.com',
166    'eventsatfacebook.com',
167    'facebookenterprise.com',
168    'meta.com',
169    'metamail.com',
170    'instagram.com',
171    'medallia.com',
172    'fbworkmail.com',
173    'workplace.com',
174    'capterra.com', // they mention "Community Guidelines"
175    'facebookblueprint.com',
176    'metaenterprisemail.com',
177    'pigfacebookstore.com.au' // unrelated domain but hitting on facebook 
178  )
179  // negate metaenterprise links
180  and not any(headers.reply_to, .email.email == "noreply@facebookmail.com")
181  
182  // negate highly trusted sender domains unless they fail DMARC authentication
183  and (
184    (
185      sender.email.domain.root_domain in $high_trust_sender_root_domains
186      and not headers.auth_summary.dmarc.pass
187    )
188    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
189  
190    // salesforce has been abused for meta phishing campaigns repeatedly 
191    or sender.email.domain.root_domain == "salesforce.com"
192  )
193  and not profile.by_sender().any_messages_benign  
194
195attack_types:
196  - "Credential Phishing"
197tactics_and_techniques:
198  - "Impersonation: Brand"
199  - "Lookalike domain"
200  - "Social engineering"
201detection_methods:
202  - "Header analysis"
203  - "Sender analysis"
204id: "e38f1e3b-79be-5a59-b084-24a851daf6b9"
to-top