Brand impersonation: Meta and subsidiaries
Impersonation of Meta or Meta's subsidiaries Facebook and Instagram.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Meta and subsidiaries"
2description: |
3 Impersonation of Meta or Meta's subsidiaries Facebook and Instagram.
4references:
5 - "https://www.techrepublic.com/article/google-and-amazon-most-impersonated-brands-in-phishing-attacks/"
6type: "rule"
7severity: "low"
8source: |
9 type.inbound
10 and (
11 // sender display name is a strong enough indicator
12 // that it can be used without any other impersonation logic
13 (
14 regex.icontains(sender.display_name,
15 'facebook ?ads',
16 'facebook ?business',
17 'meta ?account',
18 'meta ?help',
19 'meta ?support',
20 'meta ?business',
21 'meta ?for ?business',
22 'meta ?policy',
23 'page ?ads ?support',
24 'Instagram ?Not',
25 'Instagram ?Policies',
26 'Instagram ?Report',
27 'Instagram ?Helpdesk',
28 'Instagram ?Support',
29 'Ads ?Team',
30 'Meta & Coursera',
31 'Compliance & Security',
32 'meta.*inc'
33 )
34 or strings.ilevenshtein(sender.display_name, 'facebook ads') <= 2
35 or strings.ilevenshtein(sender.display_name, 'facebook business') <= 2
36 or (
37 strings.levenshtein(sender.display_name, 'Meta Support') <= 2
38 // negation for Zeta Support
39 and not (
40 sender.display_name == "Zeta Support"
41 and sender.email.domain.root_domain == 'zetaglobal.net'
42 )
43 and not (
44 sender.display_name == "Veza Support"
45 and sender.email.domain.root_domain == 'veza.com'
46 and headers.auth_summary.dmarc.pass
47 )
48 )
49 or strings.ilike(sender.email.domain.domain, '*facebook*')
50 or strings.ilike(sender.email.local_part,
51 "*instagramlive*",
52 "*facebooksupport*"
53 )
54 )
55 // the use of these keywords (facebook, meta, meta.*support)
56 // or the levenshtein distance to facebook
57 // are less strong and thus need to be combined with logo detection or nlu
58 or (
59 (
60 (
61 regex.icontains(sender.display_name,
62 '\bf[\p{Mn}\p{Cf}]*a[\p{Mn}\p{Cf}]*c[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*b[\p{Mn}\p{Cf}]*o[\p{Mn}\p{Cf}]*o[\p{Mn}\p{Cf}]*k[\p{Mn}\p{Cf}]*\b',
63 '\bm[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*t[\p{Mn}\p{Cf}]*a[\p{Mn}\p{Cf}]*\b',
64 '\bm[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*t[\p{Mn}\p{Cf}]*a[\p{Mn}\p{Cf}]*.*support',
65 '\binstagr(am)?\b'
66 )
67 // negate metageek.com
68 and not (
69 strings.icontains(sender.display_name, 'MetaGeek Support')
70 and sender.email.domain.root_domain == "metageek.com"
71 )
72 )
73 or strings.ilevenshtein(sender.display_name, 'facebook') <= 2
74 )
75 and (
76 any(ml.logo_detect(file.message_screenshot()).brands,
77 .name in ("Facebook", "Meta", "Instagram", "Threads")
78 )
79 or any(ml.nlu_classifier(body.current_thread.text).intents,
80 .name in ("cred_theft", "callback_scam", "steal_pii")
81 and .confidence in ("medium", "high")
82 )
83 or (
84 length(body.current_thread.text) < 2000
85 and regex.icontains(body.current_thread.text,
86 "(?:violation|infringe|copyright)"
87 )
88 )
89 or any(body.links, .href_url.domain.root_domain == "rebrand.ly")
90 )
91 )
92 // salesforce sender combined with logo detection and nlu is enough
93 or (
94 sender.email.domain.root_domain == "salesforce.com"
95 and any(ml.logo_detect(file.message_screenshot()).brands,
96 .name in ("Facebook", "Meta", "Instagram", "Threads")
97 )
98 and any(ml.nlu_classifier(body.current_thread.text).intents,
99 .name in ("cred_theft", "callback_scam", "steal_pii")
100 and .confidence in ("medium", "high")
101 )
102 )
103 or
104 // or the body contains a facebook/meta footer with the address citing "community support"
105 (
106 regex.icontains(body.current_thread.text,
107 '(1\s+(Facebook|Meta)?\s*Way|1601\s+Willow\s+Rd?).*Menlo\s+Park.*CA.*94025'
108 )
109 // and it contains a link to spawn a chat with facebook - this is not the way support operates
110 and (
111 any(body.links,
112 strings.ends_with(.href_url.domain.domain, 'facebook.com')
113 and strings.starts_with(.href_url.path, '/msg/')
114 )
115 or (
116 any(ml.nlu_classifier(body.current_thread.text).intents,
117 .name in ("cred_theft", "callback_scam", "steal_pii")
118 and .confidence in ("high")
119 )
120 )
121 or any(recipients.to,
122 .email.domain.valid
123 and any(body.links,
124 strings.icontains(.href_url.url, ..email.email)
125 or any(beta.scan_base64(.href_url.url,
126 format="url",
127 ignore_padding=true
128 ),
129 strings.icontains(., ...email.email)
130 )
131 or any(beta.scan_base64(.href_url.fragment,
132 ignore_padding=true
133 ),
134 strings.icontains(., ...email.email)
135 )
136 )
137 )
138 )
139 )
140 // we've seen advertising "advice/recommendations"
141 or (
142 all(beta.ml_topic(body.current_thread.text).topics,
143 .name in ("Advertising and Promotions", "Reminders and Notifications")
144 )
145 // Meta mention
146 and (
147 any(ml.nlu_classifier(body.current_thread.text).entities,
148 .name == "org" and strings.icontains(.text, 'Community Guidelines')
149 )
150 or regex.icontains(body.current_thread.text,
151 '(1\s+(Facebook|Meta)?\s*Way|1601\s+Willow\s+Rd?).*Menlo\s+Park.*CA.*94025'
152 )
153 )
154 and any(ml.nlu_classifier(body.current_thread.text).entities,
155 .name == "urgency"
156 )
157 )
158 or (
159 strings.icontains(body.current_thread.text, "Meta Professional Certificate")
160 and strings.icontains(body.current_thread.text, "Meta & Coursera Team")
161 )
162 )
163 and sender.email.domain.root_domain not in~ (
164 'facebook.com',
165 'facebookmail.com',
166 'eventsatfacebook.com',
167 'facebookenterprise.com',
168 'meta.com',
169 'metamail.com',
170 'instagram.com',
171 'medallia.com',
172 'fbworkmail.com',
173 'workplace.com',
174 'capterra.com', // they mention "Community Guidelines"
175 'facebookblueprint.com',
176 'metaenterprisemail.com',
177 'pigfacebookstore.com.au' // unrelated domain but hitting on facebook
178 )
179 // negate metaenterprise links
180 and not any(headers.reply_to, .email.email == "noreply@facebookmail.com")
181
182 // negate highly trusted sender domains unless they fail DMARC authentication
183 and (
184 (
185 sender.email.domain.root_domain in $high_trust_sender_root_domains
186 and not headers.auth_summary.dmarc.pass
187 )
188 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
189
190 // salesforce has been abused for meta phishing campaigns repeatedly
191 or sender.email.domain.root_domain == "salesforce.com"
192 )
193 and not profile.by_sender().any_messages_benign
194
195attack_types:
196 - "Credential Phishing"
197tactics_and_techniques:
198 - "Impersonation: Brand"
199 - "Lookalike domain"
200 - "Social engineering"
201detection_methods:
202 - "Header analysis"
203 - "Sender analysis"
204id: "e38f1e3b-79be-5a59-b084-24a851daf6b9"