Brand impersonation: Meta and subsidiaries
Impersonation of Meta or Meta's subsidiaries Facebook and Instagram.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Meta and subsidiaries"
2description: |
3 Impersonation of Meta or Meta's subsidiaries Facebook and Instagram.
4references:
5 - "https://www.techrepublic.com/article/google-and-amazon-most-impersonated-brands-in-phishing-attacks/"
6type: "rule"
7severity: "low"
8source: |
9 type.inbound
10 and (
11 // sender display name is a strong enough indicator
12 // that it can be used without any other impersonation logic
13 (
14 regex.icontains(sender.display_name,
15 'facebook ?ads',
16 'facebook ?business',
17 'meta ?account',
18 'meta ?help',
19 'meta ?support',
20 'meta ?business',
21 'meta ?for ?business',
22 'meta ?policy',
23 'page ?ads ?support',
24 'Instagram ?Not',
25 'Instagram ?Policies',
26 'Instagram ?Report',
27 'Instagram ?Helpdesk',
28 'Instagram ?Support',
29 'Ads ?Team',
30 'Meta & Coursera'
31 )
32 or strings.ilevenshtein(sender.display_name, 'facebook ads') <= 2
33 or strings.ilevenshtein(sender.display_name, 'facebook business') <= 2
34 or (
35 strings.levenshtein(sender.display_name, 'Meta Support') <= 2
36 // negation for Zeta Support
37 and not (
38 sender.display_name == "Zeta Support"
39 and sender.email.domain.root_domain == 'zetaglobal.net'
40 )
41 and not (
42 sender.display_name == "Veza Support"
43 and sender.email.domain.root_domain == 'veza.com'
44 and headers.auth_summary.dmarc.pass
45 )
46 )
47 or strings.ilike(sender.email.domain.domain, '*facebook*')
48 or strings.ilike(sender.email.local_part,
49 "*instagramlive*",
50 "*facebooksupport*"
51 )
52 )
53 // the use of these keywords (facebook, meta, meta.*support)
54 // or the levenshtein distance to facebook
55 // are less strong and thus need to be combined with logo detection or nlu
56 or (
57 (
58 (
59 regex.icontains(sender.display_name,
60 '\bf[\p{Mn}\p{Cf}]*a[\p{Mn}\p{Cf}]*c[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*b[\p{Mn}\p{Cf}]*o[\p{Mn}\p{Cf}]*o[\p{Mn}\p{Cf}]*k[\p{Mn}\p{Cf}]*\b',
61 '\bm[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*t[\p{Mn}\p{Cf}]*a[\p{Mn}\p{Cf}]*\b',
62 '\bm[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*t[\p{Mn}\p{Cf}]*a[\p{Mn}\p{Cf}]*.*support',
63 '\binstagr(am)?\b'
64 )
65 // negate metageek.com
66 and not (
67 strings.icontains(sender.display_name, 'MetaGeek Support')
68 and sender.email.domain.root_domain == "metageek.com"
69 )
70 )
71 or strings.ilevenshtein(sender.display_name, 'facebook') <= 2
72 )
73 and (
74 any(ml.logo_detect(beta.message_screenshot()).brands,
75 .name in ("Facebook", "Meta", "Instagram", "Threads")
76 )
77 or any(ml.nlu_classifier(body.current_thread.text).intents,
78 .name in ("cred_theft", "callback_scam", "steal_pii")
79 and .confidence in ("medium", "high")
80 )
81 or regex.icontains(body.plain.raw, "(violation|infringe|copyright)")
82 or any(body.links, .href_url.domain.root_domain == "rebrand.ly")
83 )
84 )
85 // salesforce sender combined with logo detection and nlu is enough
86 or (
87 sender.email.domain.root_domain == "salesforce.com"
88 and any(ml.logo_detect(beta.message_screenshot()).brands,
89 .name in ("Facebook", "Meta", "Instagram", "Threads")
90 )
91 and any(ml.nlu_classifier(body.current_thread.text).intents,
92 .name in ("cred_theft", "callback_scam", "steal_pii")
93 and .confidence in ("medium", "high")
94 )
95 )
96 or
97 // or the body contains a facebook/meta footer with the address citing "community support"
98 (
99 regex.icontains(body.current_thread.text,
100 '(1\s+(Facebook|Meta)?\s*Way|1601\s+Willow\s+Rd?).*Menlo\s+Park.*CA.*94025'
101 )
102 // and it contains a link to spawn a chat with facebook - this is not the way support operates
103 and (
104 any(body.links,
105 strings.ends_with(.href_url.domain.domain, 'facebook.com')
106 and strings.starts_with(.href_url.path, '/msg/')
107 )
108 or (
109 any(ml.nlu_classifier(body.current_thread.text).intents,
110 .name in ("cred_theft", "callback_scam", "steal_pii")
111 and .confidence in ("high")
112 )
113 )
114 or any(recipients.to,
115 .email.domain.valid
116 and any(body.links,
117 strings.icontains(.href_url.url, ..email.email)
118 or any(beta.scan_base64(.href_url.url,
119 format="url",
120 ignore_padding=true
121 ),
122 strings.icontains(., ...email.email)
123 )
124 or any(beta.scan_base64(.href_url.fragment,
125 ignore_padding=true
126 ),
127 strings.icontains(., ...email.email)
128 )
129 )
130 )
131 )
132 )
133 // we've seen advertising "advice/recommendations"
134 or (
135 all(beta.ml_topic(body.current_thread.text).topics,
136 .name in ("Advertising and Promotions", "Reminders and Notifications")
137 )
138 // Meta mention
139 and (
140 any(ml.nlu_classifier(body.current_thread.text).entities,
141 .name == "org" and strings.icontains(.text, 'Community Guidelines')
142 )
143 or regex.icontains(body.current_thread.text,
144 '(1\s+(Facebook|Meta)?\s*Way|1601\s+Willow\s+Rd?).*Menlo\s+Park.*CA.*94025'
145 )
146 )
147 and any(ml.nlu_classifier(body.current_thread.text).entities,
148 .name == "urgency"
149 )
150 )
151 or (
152 strings.icontains(body.current_thread.text, "Meta Professional Certificate")
153 and strings.icontains(body.current_thread.text, "Meta & Coursera Team")
154 )
155 )
156 and sender.email.domain.root_domain not in~ (
157 'facebook.com',
158 'facebookmail.com',
159 'eventsatfacebook.com',
160 'facebookenterprise.com',
161 'meta.com',
162 'metamail.com',
163 'instagram.com',
164 'medallia.com',
165 'fbworkmail.com',
166 'workplace.com',
167 'capterra.com', // they mention "Community Guidelines"
168 'facebookblueprint.com',
169 'metaenterprisemail.com'
170 )
171 // negate metaenterprise links
172 and not any(headers.reply_to, .email.email == "noreply@facebookmail.com")
173
174 // negate highly trusted sender domains unless they fail DMARC authentication
175 and (
176 (
177 sender.email.domain.root_domain in $high_trust_sender_root_domains
178 and not headers.auth_summary.dmarc.pass
179 )
180 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
181
182 // salesforce has been abused for meta phishing campaigns repeatedly
183 or sender.email.domain.root_domain == "salesforce.com"
184 )
185 and not profile.by_sender().any_messages_benign
186attack_types:
187 - "Credential Phishing"
188tactics_and_techniques:
189 - "Impersonation: Brand"
190 - "Lookalike domain"
191 - "Social engineering"
192detection_methods:
193 - "Header analysis"
194 - "Sender analysis"
195id: "e38f1e3b-79be-5a59-b084-24a851daf6b9"