Brand Impersonation: Meta and Subsidiaries

  1name: "Brand Impersonation: Meta and Subsidiaries"
  2description: |
  3    Impersonation of Meta or Meta's subsidiaries Facebook and Instagram.
  4references:
  5  - "https://www.techrepublic.com/article/google-and-amazon-most-impersonated-brands-in-phishing-attacks/"
  6type: "rule"
  7severity: "low"
  8source: |
  9  type.inbound
 10  and (
 11    // sender display name is a strong enough indicator
 12    // that it can be used without any other impersonation logic
 13    (
 14      strings.ilike(sender.display_name,
 15                    '*facebook ads*',
 16                    '*facebook business*',
 17                    '*meta support*',
 18                    '*meta business*',
 19                    '*meta for business*',
 20                    '*meta policy*',
 21                    '*page ads support*',
 22                    'Instagram Not*',
 23                    'Instagram Policies*',
 24                    'Instagram Report*',
 25                    'Instagram Helpdesk*',
 26                    'Instagram Support*',
 27                    '*Ads Team'
 28      )
 29      or strings.ilevenshtein(sender.display_name, 'facebook ads') <= 2
 30      or strings.ilevenshtein(sender.display_name, 'facebook business') <= 2
 31      or (
 32        strings.levenshtein(sender.display_name, 'Meta Support') <= 2
 33        // negation for Zeta Support
 34        and not (
 35          sender.display_name == "Zeta Support"
 36          and sender.email.domain.root_domain == 'zetaglobal.net'
 37        )
 38      )
 39      or strings.ilike(sender.email.domain.domain, '*facebook*')
 40      or strings.ilike(sender.email.local_part,
 41                       "*instagramlive*",
 42                       "*facebooksupport*"
 43      )
 44    )
 45    // the use of these keywords (facebook, meta, meta.*support)
 46    // or the levenshtien distance to facebook
 47    // are less strong and thus need to be combined with logo detection or nlu 
 48    or (
 49      (
 50        (
 51          regex.icontains(sender.display_name,
 52                          '\bf[\p{Mn}\p{Cf}]*a[\p{Mn}\p{Cf}]*c[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*b[\p{Mn}\p{Cf}]*o[\p{Mn}\p{Cf}]*o[\p{Mn}\p{Cf}]*k[\p{Mn}\p{Cf}]*\b',
 53                          '\bm[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*t[\p{Mn}\p{Cf}]*a[\p{Mn}\p{Cf}]*\b',
 54                          '\bm[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*t[\p{Mn}\p{Cf}]*a[\p{Mn}\p{Cf}]*.*support\b',
 55                          '\binstagr(am)?\b'
 56          )
 57          // negate metageek.com
 58          and not (
 59            strings.icontains(sender.display_name, 'MetaGeek Support')
 60            and sender.email.domain.root_domain == "metageek.com"
 61          )
 62        )
 63        or strings.ilevenshtein(sender.display_name, 'facebook') <= 2
 64      )
 65      and (
 66        any(ml.logo_detect(beta.message_screenshot()).brands,
 67            .name in ("Facebook", "Meta", "Instagram", "Threads")
 68        )
 69        or any(ml.nlu_classifier(body.current_thread.text).intents,
 70               .name in ("cred_theft", "callback_scam", "steal_pii")
 71               and .confidence in ("medium", "high")
 72        )
 73      )
 74    )
 75    // salesforce sender combined with logo detection and nlu is enough
 76    or (
 77      sender.email.domain.root_domain == "salesforce.com"
 78      and any(ml.logo_detect(beta.message_screenshot()).brands,
 79              .name in ("Facebook", "Meta", "Instagram", "Threads")
 80      )
 81      and any(ml.nlu_classifier(body.current_thread.text).intents,
 82              .name in ("cred_theft", "callback_scam", "steal_pii")
 83              and .confidence in ("medium", "high")
 84      )
 85    )
 86    or 
 87    // or the body contains a facebook/meta footer with the address citing "community support" 
 88    (
 89      regex.icontains(body.current_thread.text,
 90                      '(1 (Facebook|Meta)?\s*Way|1601 Willow Road), Menlo Park, CA 94025'
 91      )
 92      // and it contains a link to spawn a chat with facebook - this is not the way support operates
 93      and (
 94        any(body.links,
 95            strings.ends_with(.href_url.domain.domain, 'facebook.com')
 96            and strings.starts_with(.href_url.path, '/msg/')
 97        )
 98        or (
 99          any(ml.nlu_classifier(body.current_thread.text).intents,
100              .name in ("cred_theft", "callback_scam", "steal_pii")
101              and .confidence in ("high")
102          )
103        )
104        or any(recipients.to,
105               .email.domain.valid
106               and any(body.links,
107                       strings.icontains(.href_url.url, ..email.email)
108                       or any(beta.scan_base64(.href_url.url,
109                                               format="url",
110                                               ignore_padding=true
111                              ),
112                              strings.icontains(., ...email.email)
113                       )
114                       or any(beta.scan_base64(.href_url.fragment,
115                                               ignore_padding=true
116                              ),
117                              strings.icontains(., ...email.email)
118                       )
119               )
120        )
121      )
122    )
123    // we've seen advertising "advice/recommendations"
124    or (
125      all(beta.ml_topic(body.current_thread.text).topics,
126          .name in ("Advertising and Promotions", "Reminders and Notifications")
127      )
128      // Meta mention
129      and (
130        any(ml.nlu_classifier(body.current_thread.text).entities,
131            .name == "org"
132            and strings.icontains(.text, 'Community Guidelines')
133        )
134        or regex.icontains(body.current_thread.text,
135                           '(1 (Facebook|Meta)?\s*Way|1601 Willow Road), Menlo Park, CA 94025'
136        )
137      )
138      and any(ml.nlu_classifier(body.current_thread.text).entities,
139              .name == "urgency"
140      )
141    )
142  )
143  and sender.email.domain.root_domain not in~ (
144    'facebook.com',
145    'facebookmail.com',
146    'eventsatfacebook.com',
147    'facebookenterprise.com',
148    'meta.com',
149    'metamail.com',
150    'instagram.com',
151    'medallia.com',
152    'fbworkmail.com',
153    'workplace.com',
154    'capterra.com' // they mention "Community Guidelines"
155  )
156  // negate metaenterprise links
157  and not any(headers.reply_to, .email.email == "noreply@facebookmail.com")
158  and (
159    (
160      profile.by_sender().prevalence != "common"
161      and not profile.by_sender().solicited
162    )
163    or sender.email.domain.domain in $replyto_service_domains
164    or (
165      profile.by_sender().any_messages_malicious_or_spam
166      and not profile.by_sender().any_messages_benign
167    )
168    // if saleforce is being abused, sender profiles aren't very useful
169    or sender.email.email in (
170      "noreply@salesforce.com",
171      "support@salesforce.com",
172      "no-reply@salesforce.com"
173    )
174    // sent via Google group
175    or any(headers.hops, any(.fields, .name == "X-Google-Group-Id"))
176  )
177  
178  // negate highly trusted sender domains unless they fail DMARC authentication
179  and (
180    (
181      sender.email.domain.root_domain in $high_trust_sender_root_domains
182      and not headers.auth_summary.dmarc.pass
183    )
184    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
185  
186    // salesforce has been abused for meta phishing campaigns repeatedly 
187    or sender.email.domain.root_domain == "salesforce.com"
188  )
189  and not profile.by_sender().any_messages_benign  
190attack_types:
191  - "Credential Phishing"
192tactics_and_techniques:
193  - "Impersonation: Brand"
194  - "Lookalike domain"
195  - "Social engineering"
196detection_methods:
197  - "Header analysis"
198  - "Sender analysis"
199id: "e38f1e3b-79be-5a59-b084-24a851daf6b9"