Brand impersonation: Meta and subsidiaries

Impersonation of Meta or Meta's subsidiaries Facebook and Instagram.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Meta and subsidiaries"
  2description: |
  3    Impersonation of Meta or Meta's subsidiaries Facebook and Instagram.
  4references:
  5  - "https://www.techrepublic.com/article/google-and-amazon-most-impersonated-brands-in-phishing-attacks/"
  6type: "rule"
  7severity: "low"
  8source: |
  9  type.inbound
 10  and (
 11    // sender display name is a strong enough indicator
 12    // that it can be used without any other impersonation logic
 13    (
 14      regex.icontains(sender.display_name,
 15                      'facebook ?ads',
 16                      'facebook ?business',
 17                      'meta ?account',
 18                      'meta ?help',
 19                      'meta ?support',
 20                      'meta ?business',
 21                      'meta ?for ?business',
 22                      'meta ?policy',
 23                      'page ?ads ?support',
 24                      'Instagram ?Not',
 25                      'Instagram ?Policies',
 26                      'Instagram ?Report',
 27                      'Instagram ?Helpdesk',
 28                      'Instagram ?Support',
 29                      'Ads ?Team',
 30                      'Meta & Coursera'
 31      )
 32      or strings.ilevenshtein(sender.display_name, 'facebook ads') <= 2
 33      or strings.ilevenshtein(sender.display_name, 'facebook business') <= 2
 34      or (
 35        strings.levenshtein(sender.display_name, 'Meta Support') <= 2
 36        // negation for Zeta Support
 37        and not (
 38          sender.display_name == "Zeta Support"
 39          and sender.email.domain.root_domain == 'zetaglobal.net'
 40        )
 41        and not (
 42          sender.display_name == "Veza Support"
 43          and sender.email.domain.root_domain == 'veza.com'
 44          and headers.auth_summary.dmarc.pass
 45        )
 46      )
 47      or strings.ilike(sender.email.domain.domain, '*facebook*')
 48      or strings.ilike(sender.email.local_part,
 49                       "*instagramlive*",
 50                       "*facebooksupport*"
 51      )
 52    )
 53    // the use of these keywords (facebook, meta, meta.*support)
 54    // or the levenshtein distance to facebook
 55    // are less strong and thus need to be combined with logo detection or nlu 
 56    or (
 57      (
 58        (
 59          regex.icontains(sender.display_name,
 60                          '\bf[\p{Mn}\p{Cf}]*a[\p{Mn}\p{Cf}]*c[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*b[\p{Mn}\p{Cf}]*o[\p{Mn}\p{Cf}]*o[\p{Mn}\p{Cf}]*k[\p{Mn}\p{Cf}]*\b',
 61                          '\bm[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*t[\p{Mn}\p{Cf}]*a[\p{Mn}\p{Cf}]*\b',
 62                          '\bm[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*t[\p{Mn}\p{Cf}]*a[\p{Mn}\p{Cf}]*.*support',
 63                          '\binstagr(am)?\b'
 64          )
 65          // negate metageek.com
 66          and not (
 67            strings.icontains(sender.display_name, 'MetaGeek Support')
 68            and sender.email.domain.root_domain == "metageek.com"
 69          )
 70        )
 71        or strings.ilevenshtein(sender.display_name, 'facebook') <= 2
 72      )
 73      and (
 74        any(ml.logo_detect(beta.message_screenshot()).brands,
 75            .name in ("Facebook", "Meta", "Instagram", "Threads")
 76        )
 77        or any(ml.nlu_classifier(body.current_thread.text).intents,
 78               .name in ("cred_theft", "callback_scam", "steal_pii")
 79               and .confidence in ("medium", "high")
 80        )
 81        or regex.icontains(body.plain.raw, "(violation|infringe|copyright)")
 82        or any(body.links, .href_url.domain.root_domain == "rebrand.ly")
 83      )
 84    )
 85    // salesforce sender combined with logo detection and nlu is enough
 86    or (
 87      sender.email.domain.root_domain == "salesforce.com"
 88      and any(ml.logo_detect(beta.message_screenshot()).brands,
 89              .name in ("Facebook", "Meta", "Instagram", "Threads")
 90      )
 91      and any(ml.nlu_classifier(body.current_thread.text).intents,
 92              .name in ("cred_theft", "callback_scam", "steal_pii")
 93              and .confidence in ("medium", "high")
 94      )
 95    )
 96    or 
 97    // or the body contains a facebook/meta footer with the address citing "community support" 
 98    (
 99      regex.icontains(body.current_thread.text,
100                      '(1\s+(Facebook|Meta)?\s*Way|1601\s+Willow\s+Rd?).*Menlo\s+Park.*CA.*94025'
101      )
102      // and it contains a link to spawn a chat with facebook - this is not the way support operates
103      and (
104        any(body.links,
105            strings.ends_with(.href_url.domain.domain, 'facebook.com')
106            and strings.starts_with(.href_url.path, '/msg/')
107        )
108        or (
109          any(ml.nlu_classifier(body.current_thread.text).intents,
110              .name in ("cred_theft", "callback_scam", "steal_pii")
111              and .confidence in ("high")
112          )
113        )
114        or any(recipients.to,
115               .email.domain.valid
116               and any(body.links,
117                       strings.icontains(.href_url.url, ..email.email)
118                       or any(beta.scan_base64(.href_url.url,
119                                               format="url",
120                                               ignore_padding=true
121                              ),
122                              strings.icontains(., ...email.email)
123                       )
124                       or any(beta.scan_base64(.href_url.fragment,
125                                               ignore_padding=true
126                              ),
127                              strings.icontains(., ...email.email)
128                       )
129               )
130        )
131      )
132    )
133    // we've seen advertising "advice/recommendations"
134    or (
135      all(beta.ml_topic(body.current_thread.text).topics,
136          .name in ("Advertising and Promotions", "Reminders and Notifications")
137      )
138      // Meta mention
139      and (
140        any(ml.nlu_classifier(body.current_thread.text).entities,
141            .name == "org" and strings.icontains(.text, 'Community Guidelines')
142        )
143        or regex.icontains(body.current_thread.text,
144                           '(1\s+(Facebook|Meta)?\s*Way|1601\s+Willow\s+Rd?).*Menlo\s+Park.*CA.*94025'
145        )
146      )
147      and any(ml.nlu_classifier(body.current_thread.text).entities,
148              .name == "urgency"
149      )
150    )
151    or (
152      strings.icontains(body.current_thread.text, "Meta Professional Certificate")
153      and strings.icontains(body.current_thread.text, "Meta & Coursera Team")
154    )
155  )
156  and sender.email.domain.root_domain not in~ (
157    'facebook.com',
158    'facebookmail.com',
159    'eventsatfacebook.com',
160    'facebookenterprise.com',
161    'meta.com',
162    'metamail.com',
163    'instagram.com',
164    'medallia.com',
165    'fbworkmail.com',
166    'workplace.com',
167    'capterra.com', // they mention "Community Guidelines"
168    'facebookblueprint.com',
169    'metaenterprisemail.com'
170  )
171  // negate metaenterprise links
172  and not any(headers.reply_to, .email.email == "noreply@facebookmail.com")
173  
174  // negate highly trusted sender domains unless they fail DMARC authentication
175  and (
176    (
177      sender.email.domain.root_domain in $high_trust_sender_root_domains
178      and not headers.auth_summary.dmarc.pass
179    )
180    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
181  
182    // salesforce has been abused for meta phishing campaigns repeatedly 
183    or sender.email.domain.root_domain == "salesforce.com"
184  )
185  and not profile.by_sender().any_messages_benign  
186attack_types:
187  - "Credential Phishing"
188tactics_and_techniques:
189  - "Impersonation: Brand"
190  - "Lookalike domain"
191  - "Social engineering"
192detection_methods:
193  - "Header analysis"
194  - "Sender analysis"
195id: "e38f1e3b-79be-5a59-b084-24a851daf6b9"
to-top