Brand Impersonation: Meta and Subsidiaries
Impersonation of Meta or Meta's subsidiaries Facebook and Instagram.
Sublime rule (View on GitHub)
1name: "Brand Impersonation: Meta and Subsidiaries"
2description: |
3 Impersonation of Meta or Meta's subsidiaries Facebook and Instagram.
4references:
5 - "https://www.techrepublic.com/article/google-and-amazon-most-impersonated-brands-in-phishing-attacks/"
6type: "rule"
7severity: "low"
8source: |
9 type.inbound
10 and (
11 // sender display name is a strong enough indicator
12 // that it can be used without any other impersonation logic
13 (
14 strings.ilike(sender.display_name,
15 '*facebook ads*',
16 '*facebook business*',
17 '*meta support*',
18 '*meta for business*',
19 '*meta policy*',
20 'Instagram Not*',
21 'Instagram Policies*',
22 'Instagram Report*',
23 'Instagram Helpdesk*',
24 'Instagram Support*'
25 )
26 or strings.ilevenshtein(sender.display_name, 'facebook ads') <= 2
27 or strings.ilevenshtein(sender.display_name, 'facebook business') <= 2
28 or (
29 strings.ilevenshtein(sender.display_name, 'meta support') <= 2
30 // negation for Zeta Support
31 and not (
32 sender.display_name == "Zeta Support"
33 and sender.email.domain.root_domain == 'zetaglobal.net'
34 )
35 )
36 or strings.ilike(sender.email.domain.domain, '*facebook*')
37 )
38 // the use of these keywords (facebook, meta, meta.*support)
39 // or the levenshtien distance to facebook
40 // are less strong and thus need to be combined with logo detection or nlu
41 or (
42 (
43 (
44 regex.icontains(sender.display_name,
45 '\bfacebook\b',
46 '\bmeta\b',
47 '\bmeta.*support\b',
48 '\binstagram\b'
49 )
50 // negate metageek.com
51 and not (
52 strings.icontains(sender.display_name, 'MetaGeek Support')
53 and sender.email.domain.root_domain == "metageek.com"
54 )
55 )
56 or strings.ilevenshtein(sender.display_name, 'facebook') <= 2
57 )
58 and (
59 any(ml.logo_detect(beta.message_screenshot()).brands,
60 .name in ("Facebook", "Meta", "Instagram")
61 )
62 or any(ml.nlu_classifier(body.current_thread.text).intents,
63 .name in ("cred_theft", "callback_scam", "steal_pii")
64 and .confidence in ("high")
65 )
66 )
67 )
68 // salesforce sender combined with logo detection and nlu is enough
69 or (
70 sender.email.domain.root_domain == "salesforce.com"
71 and any(ml.logo_detect(beta.message_screenshot()).brands,
72 .name in ("Facebook", "Meta", "Instagram")
73 )
74 and any(ml.nlu_classifier(body.current_thread.text).intents,
75 .name in ("cred_theft", "callback_scam", "steal_pii")
76 and .confidence in ("high")
77 )
78 )
79 or
80 // or the body contains a facebook/meta footer with the address citing "community support"
81 (
82 regex.icontains(body.current_thread.text,
83 'Attention: Community Support, 1 (Facebook|Meta)?\s*Way, Menlo Park, CA 94025'
84 )
85 // and it contains a link to spawn a chat with facebook - this is not the way support operates
86 and (
87 any(body.links,
88 strings.ends_with(.href_url.domain.domain, 'facebook.com')
89 and strings.starts_with(.href_url.path, '/msg/')
90 )
91 or (
92 any(ml.nlu_classifier(body.current_thread.text).intents,
93 .name in ("cred_theft", "callback_scam", "steal_pii")
94 and .confidence in ("high")
95 )
96 )
97 or any(recipients.to,
98 any(body.links,
99 strings.icontains(.href_url.url, ..email.email)
100 or any(beta.scan_base64(.href_url.url, ignore_padding=true),
101 strings.icontains(., ...email.email)
102 )
103 or any(beta.scan_base64(.href_url.fragment,
104 ignore_padding=true
105 ),
106 strings.icontains(., ...email.email)
107 )
108 )
109 )
110 )
111 )
112 )
113 and sender.email.domain.root_domain not in~ (
114 'facebook.com',
115 'facebookmail.com',
116 'eventsatfacebook.com',
117 'facebookenterprise.com',
118 'meta.com',
119 'metamail.com',
120 'instagram.com',
121 'medallia.com',
122 )
123 // negate metaenterprise links
124 and not any(headers.reply_to, .email.email == "noreply@facebookmail.com")
125 and (
126 (
127 profile.by_sender().prevalence != "common"
128 and not profile.by_sender().solicited
129 )
130 or (
131 profile.by_sender().any_messages_malicious_or_spam
132 and not profile.by_sender().any_false_positives
133 )
134 // if saleforce is being abused, sender profiles aren't very useful
135 or sender.email.email in ("noreply@salesforce.com", "support@salesforce.com", "no-reply@salesforce.com")
136 // sent via Google group
137 or any(headers.hops, any(.fields, .name == "X-Google-Group-Id"))
138 )
139
140 // negate highly trusted sender domains unless they fail DMARC authentication
141 and (
142 (
143 sender.email.domain.root_domain in $high_trust_sender_root_domains
144 and not headers.auth_summary.dmarc.pass
145 )
146 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
147
148 // salesforce has been abused for meta phishing campaigns repeatedly
149 or sender.email.domain.root_domain == "salesforce.com"
150 )
151 and not profile.by_sender().any_false_positives
152attack_types:
153 - "Credential Phishing"
154tactics_and_techniques:
155 - "Impersonation: Brand"
156 - "Lookalike domain"
157 - "Social engineering"
158detection_methods:
159 - "Header analysis"
160 - "Sender analysis"
161id: "e38f1e3b-79be-5a59-b084-24a851daf6b9"