Brand impersonation: Meta and subsidiaries
Impersonation of Meta or Meta's subsidiaries Facebook and Instagram.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Meta and subsidiaries"
2description: |
3 Impersonation of Meta or Meta's subsidiaries Facebook and Instagram.
4references:
5 - "https://www.techrepublic.com/article/google-and-amazon-most-impersonated-brands-in-phishing-attacks/"
6type: "rule"
7severity: "low"
8source: |
9 type.inbound
10 and (
11 // sender display name is a strong enough indicator
12 // that it can be used without any other impersonation logic
13 (
14 regex.icontains(sender.display_name,
15 'facebook ?ads',
16 'facebook ?business',
17 'meta ?account',
18 'meta ?help',
19 'meta ?support',
20 'meta ?business',
21 'meta ?for ?business',
22 'meta ?policy',
23 'page ?ads ?support',
24 'Instagram ?Not',
25 'Instagram ?Policies',
26 'Instagram ?Report',
27 'Instagram ?Helpdesk',
28 'Instagram ?Support',
29 'Ads ?Team',
30 'Meta & Coursera',
31 'Compliance & Security',
32 'meta.*inc',
33 'meta ?copyright',
34 'meta ?compliance',
35 'meta ?pro',
36 'meta ?certify'
37 )
38 or strings.ilevenshtein(sender.display_name, 'facebook ads') <= 2
39 or strings.ilevenshtein(sender.display_name, 'facebook business') <= 2
40 or (
41 strings.levenshtein(sender.display_name, 'Meta Support') <= 2
42 // negation for Zeta Support
43 and not (
44 sender.display_name == "Zeta Support"
45 and sender.email.domain.root_domain == 'zetaglobal.net'
46 )
47 and not (
48 sender.display_name == "Veza Support"
49 and sender.email.domain.root_domain == 'veza.com'
50 and headers.auth_summary.dmarc.pass
51 )
52 and not sender.display_name == "Get Support"
53 )
54 or strings.ilike(sender.email.domain.domain, '*facebook*')
55 or strings.ilike(sender.email.local_part,
56 "*instagramlive*",
57 "*facebooksupport*"
58 )
59 )
60 // the use of these keywords (facebook, meta, meta.*support)
61 // or the levenshtein distance to facebook
62 // are less strong and thus need to be combined with logo detection or nlu
63 or (
64 (
65 (
66 regex.icontains(sender.display_name,
67 '\bf[\p{Mn}\p{Cf}]*a[\p{Mn}\p{Cf}]*c[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*b[\p{Mn}\p{Cf}]*o[\p{Mn}\p{Cf}]*o[\p{Mn}\p{Cf}]*k[\p{Mn}\p{Cf}]*\b',
68 '\bm[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*t[\p{Mn}\p{Cf}]*a[\p{Mn}\p{Cf}]*\b',
69 '\bm[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*t[\p{Mn}\p{Cf}]*a[\p{Mn}\p{Cf}]*.*support',
70 '\binstagr(am)?\b'
71 )
72 // negate metageek.com
73 and not (
74 strings.icontains(sender.display_name, 'MetaGeek Support')
75 and sender.email.domain.root_domain == "metageek.com"
76 )
77 )
78 or strings.ilevenshtein(sender.display_name, 'facebook') <= 2
79 )
80 and (
81 any(ml.logo_detect(file.message_screenshot()).brands,
82 .name in ("Facebook", "Meta", "Instagram", "Threads")
83 )
84 or any(ml.nlu_classifier(body.current_thread.text).intents,
85 .name in ("cred_theft", "callback_scam", "steal_pii")
86 and .confidence in ("medium", "high")
87 )
88 or (
89 length(body.current_thread.text) < 2000
90 and regex.icontains(body.current_thread.text,
91 "(?:violation|infringe|copyright)"
92 )
93 )
94 or any(body.links, .href_url.domain.root_domain == "rebrand.ly")
95 )
96 )
97 // salesforce sender combined with logo detection and nlu is enough
98 or (
99 sender.email.domain.root_domain == "salesforce.com"
100 and any(ml.logo_detect(file.message_screenshot()).brands,
101 .name in ("Facebook", "Meta", "Instagram", "Threads")
102 )
103 and any(ml.nlu_classifier(body.current_thread.text).intents,
104 .name in ("cred_theft", "callback_scam", "steal_pii")
105 and .confidence in ("medium", "high")
106 )
107 )
108 or
109 // or the body contains a facebook/meta footer with the address citing "community support"
110 (
111 regex.icontains(body.current_thread.text,
112 '(1\s+(Facebook|Meta)?\s*Way|1601\s+Willow\s+Rd?).*Menlo\s+Park.*CA.*94025'
113 )
114 // and it contains a link to spawn a chat with facebook - this is not the way support operates
115 and (
116 any(body.links,
117 strings.ends_with(.href_url.domain.domain, 'facebook.com')
118 and strings.starts_with(.href_url.path, '/msg/')
119 )
120 or (
121 any(ml.nlu_classifier(body.current_thread.text).intents,
122 .name in ("cred_theft", "callback_scam", "steal_pii")
123 and .confidence in ("high")
124 )
125 )
126 or any(recipients.to,
127 .email.domain.valid
128 and any(body.links,
129 strings.icontains(.href_url.url, ..email.email)
130 or any(beta.scan_base64(.href_url.url,
131 format="url",
132 ignore_padding=true
133 ),
134 strings.icontains(., ...email.email)
135 )
136 or any(beta.scan_base64(.href_url.fragment,
137 ignore_padding=true
138 ),
139 strings.icontains(., ...email.email)
140 )
141 )
142 )
143 )
144 )
145 // we've seen advertising "advice/recommendations"
146 or (
147 all(beta.ml_topic(body.current_thread.text).topics,
148 .name in ("Advertising and Promotions", "Reminders and Notifications")
149 )
150 // Meta mention
151 and (
152 any(ml.nlu_classifier(body.current_thread.text).entities,
153 .name == "org" and strings.icontains(.text, 'Community Guidelines')
154 )
155 or regex.icontains(body.current_thread.text,
156 '(1\s+(Facebook|Meta)?\s*Way|1601\s+Willow\s+Rd?).*Menlo\s+Park.*CA.*94025'
157 )
158 )
159 and any(ml.nlu_classifier(body.current_thread.text).entities,
160 .name == "urgency"
161 )
162 )
163 or (
164 strings.icontains(body.current_thread.text, "Meta Professional Certificate")
165 and strings.icontains(body.current_thread.text, "Meta & Coursera Team")
166 )
167 or 2 of (
168 strings.icontains(body.current_thread.text, 'Meta'),
169 strings.icontains(body.current_thread.text, '1602 Willow Road'),
170 strings.icontains(body.current_thread.text, 'Menlo Park, CA 91024'),
171 )
172 )
173 and sender.email.domain.root_domain not in~ (
174 'facebook.com',
175 'facebookmail.com',
176 'eventsatfacebook.com',
177 'facebookenterprise.com',
178 'meta.com',
179 'metamail.com',
180 'instagram.com',
181 'medallia.com',
182 'fbworkmail.com',
183 'workplace.com',
184 'capterra.com', // they mention "Community Guidelines"
185 'facebookblueprint.com',
186 'metaenterprisemail.com',
187 'pigfacebookstore.com.au', // unrelated domain but hitting on facebook
188 'metacompliance.com',
189 'metaprop.com' // unrelated domain but hitting on meta pro
190 )
191 // negate metaenterprise links
192 and not any(headers.reply_to, .email.email == "noreply@facebookmail.com")
193
194 // negate highly trusted sender domains unless they fail DMARC authentication
195 and (
196 (
197 sender.email.domain.root_domain in $high_trust_sender_root_domains
198 and not headers.auth_summary.dmarc.pass
199 )
200 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
201
202 // salesforce has been abused for meta phishing campaigns repeatedly
203 or sender.email.domain.root_domain == "salesforce.com"
204 )
205 and not profile.by_sender().any_messages_benign
206
207attack_types:
208 - "Credential Phishing"
209tactics_and_techniques:
210 - "Impersonation: Brand"
211 - "Lookalike domain"
212 - "Social engineering"
213detection_methods:
214 - "Header analysis"
215 - "Sender analysis"
216id: "e38f1e3b-79be-5a59-b084-24a851daf6b9"