Brand impersonation: Meta and subsidiaries
Impersonation of Meta or Meta's subsidiaries Facebook and Instagram.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Meta and subsidiaries"
2description: |
3 Impersonation of Meta or Meta's subsidiaries Facebook and Instagram.
4references:
5 - "https://www.techrepublic.com/article/google-and-amazon-most-impersonated-brands-in-phishing-attacks/"
6type: "rule"
7severity: "low"
8source: |
9 type.inbound
10 and (
11 // sender display name is a strong enough indicator
12 // that it can be used without any other impersonation logic
13 (
14 regex.icontains(sender.display_name,
15 'facebook ?ads',
16 'facebook ?business',
17 'meta ?account',
18 'meta ?help',
19 'meta ?support',
20 'meta ?business',
21 'meta ?for ?business',
22 'meta ?policy',
23 'page ?ads ?support',
24 'Instagram ?Not',
25 'Instagram ?Policies',
26 'Instagram ?Report',
27 'Instagram ?Helpdesk',
28 'Instagram ?Support',
29 'Ads ?Team',
30 'Meta & Coursera',
31 'Compliance & Security',
32 'meta.*inc',
33 'meta ?copyright',
34 'meta ?compliance',
35 'meta ?pro',
36 'meta ?certify',
37 'social.?media.?(master|expert|pro|guru)',
38 'meta.?(social|skill|ads).?(star|set|expert)'
39 )
40 or strings.ilevenshtein(sender.display_name, 'facebook ads') <= 2
41 or strings.ilevenshtein(sender.display_name, 'facebook business') <= 2
42 or (
43 strings.levenshtein(sender.display_name, 'Meta Support') <= 2
44 // negation for Zeta Support
45 and not (
46 sender.display_name == "Zeta Support"
47 and sender.email.domain.root_domain == 'zetaglobal.net'
48 )
49 and not (
50 sender.display_name == "Veza Support"
51 and sender.email.domain.root_domain == 'veza.com'
52 and headers.auth_summary.dmarc.pass
53 )
54 and not sender.display_name == "Get Support"
55 )
56 or strings.ilike(sender.email.domain.domain, '*facebook*')
57 or strings.ilike(sender.email.local_part,
58 "*instagramlive*",
59 "*facebooksupport*"
60 )
61 )
62 // the use of these keywords (facebook, meta, meta.*support)
63 // or the levenshtein distance to facebook
64 // are less strong and thus need to be combined with logo detection or nlu
65 or (
66 (
67 (
68 regex.icontains(sender.display_name,
69 '\bf[\p{Mn}\p{Cf}]*a[\p{Mn}\p{Cf}]*c[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*b[\p{Mn}\p{Cf}]*o[\p{Mn}\p{Cf}]*o[\p{Mn}\p{Cf}]*k[\p{Mn}\p{Cf}]*\b',
70 '\bm[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*t[\p{Mn}\p{Cf}]*a[\p{Mn}\p{Cf}]*\b',
71 '\bm[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*t[\p{Mn}\p{Cf}]*a[\p{Mn}\p{Cf}]*.*support',
72 '\binstagr(am)?\b'
73 )
74 // negate metageek.com
75 and not (
76 strings.icontains(sender.display_name, 'MetaGeek Support')
77 and sender.email.domain.root_domain == "metageek.com"
78 )
79 )
80 or strings.ilevenshtein(sender.display_name, 'facebook') <= 2
81 )
82 and (
83 any(ml.logo_detect(file.message_screenshot()).brands,
84 .name in ("Facebook", "Meta", "Instagram", "Threads")
85 )
86 or any(ml.nlu_classifier(body.current_thread.text).intents,
87 .name in ("cred_theft", "callback_scam", "steal_pii")
88 and .confidence in ("medium", "high")
89 )
90 or (
91 length(body.current_thread.text) < 2000
92 and regex.icontains(body.current_thread.text,
93 "(?:violation|infringe|copyright)"
94 )
95 )
96 or any(body.links, .href_url.domain.root_domain == "rebrand.ly")
97 )
98 )
99 // salesforce sender combined with logo detection and nlu is enough
100 or (
101 sender.email.domain.root_domain == "salesforce.com"
102 and any(ml.logo_detect(file.message_screenshot()).brands,
103 .name in ("Facebook", "Meta", "Instagram", "Threads")
104 )
105 and any(ml.nlu_classifier(body.current_thread.text).intents,
106 .name in ("cred_theft", "callback_scam", "steal_pii")
107 and .confidence in ("medium", "high")
108 )
109 )
110 or
111 // or the body contains a facebook/meta footer with the address citing "community support"
112 (
113 regex.icontains(body.current_thread.text,
114 '(1\s+(Facebook|Meta)?\s*Way|1601\s+Willow\s+Rd?).*Menlo\s+Park.*CA.*94025'
115 )
116 // and it contains a link to spawn a chat with facebook - this is not the way support operates
117 and (
118 any(body.links,
119 strings.ends_with(.href_url.domain.domain, 'facebook.com')
120 and strings.starts_with(.href_url.path, '/msg/')
121 )
122 or (
123 any(ml.nlu_classifier(body.current_thread.text).intents,
124 .name in ("cred_theft", "callback_scam", "steal_pii")
125 and .confidence in ("high")
126 )
127 )
128 or any(recipients.to,
129 .email.domain.valid
130 and any(body.links,
131 strings.icontains(.href_url.url, ..email.email)
132 or any(beta.scan_base64(.href_url.url,
133 format="url",
134 ignore_padding=true
135 ),
136 strings.icontains(., ...email.email)
137 )
138 or any(beta.scan_base64(.href_url.fragment,
139 ignore_padding=true
140 ),
141 strings.icontains(., ...email.email)
142 )
143 )
144 )
145 )
146 )
147 // we've seen advertising "advice/recommendations"
148 or (
149 all(ml.nlu_classifier(body.current_thread.text).topics,
150 .name in ("Advertising and Promotions", "Reminders and Notifications")
151 )
152 // Meta mention
153 and (
154 any(ml.nlu_classifier(body.current_thread.text).entities,
155 .name == "org" and strings.icontains(.text, 'Community Guidelines')
156 )
157 or regex.icontains(body.current_thread.text,
158 '(1\s+(Facebook|Meta)?\s*Way|1601\s+Willow\s+Rd?).*Menlo\s+Park.*CA.*94025'
159 )
160 )
161 and any(ml.nlu_classifier(body.current_thread.text).entities,
162 .name == "urgency"
163 )
164 )
165 or (
166 strings.icontains(body.current_thread.text, "Meta Professional Certificate")
167 and strings.icontains(body.current_thread.text, "Meta & Coursera Team")
168 // Add link validation
169 and any(body.links,
170 strings.icontains(.display_text, "coursera")
171 and .href_url.domain.root_domain != "coursera.org"
172 )
173 )
174 or 2 of (
175 strings.icontains(body.current_thread.text, 'Meta'),
176 strings.icontains(body.current_thread.text, '1602 Willow Road'),
177 strings.icontains(body.current_thread.text, 'Menlo Park, CA 91024'),
178 )
179 )
180 and sender.email.domain.root_domain not in~ (
181 'facebook.com',
182 'facebookmail.com',
183 'eventsatfacebook.com',
184 'facebookenterprise.com',
185 'meta.com',
186 'metamail.com',
187 'instagram.com',
188 'medallia.com',
189 'fbworkmail.com',
190 'workplace.com',
191 'capterra.com', // they mention "Community Guidelines"
192 'facebookblueprint.com',
193 'metaenterprisemail.com',
194 'pigfacebookstore.com.au', // unrelated domain but hitting on facebook
195 'metacompliance.com',
196 'metaprop.com' // unrelated domain but hitting on meta pro
197 )
198 // negate metaenterprise links
199 and not any(headers.reply_to, .email.email == "noreply@facebookmail.com")
200
201 // negate highly trusted sender domains unless they fail DMARC authentication
202 and (
203 (
204 sender.email.domain.root_domain in $high_trust_sender_root_domains
205 and not headers.auth_summary.dmarc.pass
206 )
207 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
208
209 // salesforce has been abused for meta phishing campaigns repeatedly
210 or sender.email.domain.root_domain == "salesforce.com"
211 )
212 and not profile.by_sender().any_messages_benign
213
214attack_types:
215 - "Credential Phishing"
216tactics_and_techniques:
217 - "Impersonation: Brand"
218 - "Lookalike domain"
219 - "Social engineering"
220detection_methods:
221 - "Header analysis"
222 - "Sender analysis"
223id: "e38f1e3b-79be-5a59-b084-24a851daf6b9"