Brand impersonation: Meta and subsidiaries
Impersonation of Meta or Meta's subsidiaries Facebook and Instagram.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Meta and subsidiaries"
2description: |
3 Impersonation of Meta or Meta's subsidiaries Facebook and Instagram.
4references:
5 - "https://www.techrepublic.com/article/google-and-amazon-most-impersonated-brands-in-phishing-attacks/"
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10 and (
11 // sender display name is a strong enough indicator
12 // that it can be used without any other impersonation logic
13 (
14 regex.icontains(sender.display_name,
15
16 // this regex looks for a commonly abused phrase starting with 'meta', potentially containing a version of the word 'verified', followed by phrases that have been observed in campaigns.
17 '\bm.?e.?t.?a\b.*(?:verif(?:y|i(?:cado|ed)))?.*\b(?:recruiting|certification|trust|safety|badge|alert|advertising|compliance|copyright|enforcement|intellectual|rights|account|help|support|service|business|policy|Vérifié|certify|inc|help[ -]?desk)\b',
18
19 // this regex also looks for a commonly abused phrase starting with 'meta', followed by a phrase, then 'team' with no separating spaces.
20 '\bm.?e.?t.?a(?:recruiting|pro|certification|trust|safety|badge|alert|advertising|compliance|copyright|enforcement|intellectual|rights|service|account|help|support|business|policy|ads)team',
21
22 // this regex is similar to the first in this section, but starts with facebook instead of meta
23 '\bf.?a.?c.?e.?b.?o.?o.?k\b.*(?:verif(?:y|i(?:cado|ed)))?.*\b(?:recruiting|ads[ -]?team|certification|trust|safety|badge|alert|advertising|compliance|copyright|enforcement|intellectual|rights|service|account|help|support|business|policy|Vérifié|certify|inc|help[ -]?desk)\b',
24 '^[a-z]+ from \bmeta$',
25 'page ?ads ?support',
26 'Instagram\s*(?:Not|Policies|Report|Helpdesk|Support)',
27 '\bMeta & Coursera',
28 'Compliance & Security',
29 'social.?media.?\b(?:master|expert|pro|guru)\b',
30 '\bmeta\b.?(?:social|skill|ads).?(?:star|set|expert)',
31 'noreply-(?:meta|fb).+'
32 )
33 or (
34 regex.icontains(sender.display_name,
35 "f\u{200a}?a\u{200a}?c\u{200a}?e\u{200a}?b\u{200a}?o\u{200a}?o\u{200a}?k"
36 )
37 and not strings.icontains(sender.display_name, 'facebook')
38 )
39 or strings.contains(sender.display_name, "\u{24C2}")
40 or strings.ilevenshtein(sender.display_name, 'facebook ads') <= 2
41 or strings.ilevenshtein(sender.display_name, 'facebook business') <= 2
42 or strings.ilike(sender.email.domain.domain, '*facebook*')
43 or strings.ilike(sender.email.local_part,
44 "*instagramlive*",
45 "*facebooksupport*"
46 )
47 or strings.icontains(sender.email.domain.subdomain, 'meta-')
48 )
49 // the use of these keywords (facebook, instagram)
50 // or the levenshtein distance to facebook
51 // are less strong and thus need to be combined with logo detection or nlu
52 or (
53 (
54 regex.icontains(sender.display_name,
55 '\bf[\p{Mn}\p{Cf}]*a[\p{Mn}\p{Cf}]*c[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*b[\p{Mn}\p{Cf}]*o[\p{Mn}\p{Cf}]*o[\p{Mn}\p{Cf}]*k[\p{Mn}\p{Cf}]*\b',
56 '\binstagr(am)?\b',
57 '\bm[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*t[\p{Mn}\p{Cf}]*a\b'
58 )
59 or strings.ilevenshtein(sender.display_name, 'facebook') <= 2
60 or sender.email.email == 'noreply@appsheet.com'
61 )
62 and 2 of (
63 any(ml.logo_detect(file.message_screenshot()).brands,
64 .name in ("Facebook", "Meta", "Instagram", "Threads")
65 ),
66 any(ml.nlu_classifier(body.current_thread.text).intents,
67 .name in ("cred_theft", "callback_scam", "steal_pii")
68 and .confidence in ("medium", "high")
69 ),
70 (
71 length(body.current_thread.text) < 2000
72 and regex.icontains(body.current_thread.text, "(?:violation|infringe)")
73 ),
74 regex.icontains(subject.base,
75 '\b(?:recruiting|permanently|locked|certification|trust|safety|badge|alert|advertising|compliance|copyright|enforcement|intellectual|rights|account|help|support|business|policy|verif(?:y|i(?:cado|ed))|Vérifié|Trademark|Misuse|Review|Violation|Warning|Restriction|Inappropriate|service|Content|multiple reports)\b'
76 ),
77 any(body.links,
78 .href_url.domain.root_domain in $self_service_creation_platform_domains
79 or .href_url.domain.root_domain in $free_file_hosts
80 or .href_url.domain.root_domain in $free_subdomain_hosts
81 or .href_url.domain.root_domain in $url_shorteners
82 ),
83 sender.email.domain.root_domain in $free_email_providers
84 )
85 )
86 // salesforce sender combined with logo detection and nlu is enough
87 or (
88 sender.email.domain.root_domain == "salesforce.com"
89 and any(ml.logo_detect(file.message_screenshot()).brands,
90 .name in ("Facebook", "Meta", "Instagram", "Threads")
91 )
92 and any(ml.nlu_classifier(body.current_thread.text).intents,
93 .name in ("cred_theft", "callback_scam", "steal_pii")
94 and .confidence in ("medium", "high")
95 )
96 )
97 or
98 // or the body contains a facebook/meta footer with the address citing "community support"
99 (
100 (
101 regex.icontains(body.current_thread.text,
102 '(?:1\s+(?:Facebook|Hacker|Meta)?\s*Way|1601\s+Willow\s+Rd?).*Menlo\s+Park.*CA.*94025'
103 )
104 or (
105 regex.icontains(body.current_thread.text,
106 '(?:Security Team © Meta|Meta Support Team)'
107 )
108 )
109 )
110 // and it contains a link to spawn a chat with facebook - this is not the way support operates
111 and (
112 any(body.links,
113 strings.ends_with(.href_url.domain.domain, 'facebook.com')
114 and strings.starts_with(.href_url.path, '/msg/')
115 )
116 or (
117 any(ml.nlu_classifier(body.current_thread.text).intents,
118 .name in ("cred_theft", "callback_scam", "steal_pii")
119 and .confidence in ("high")
120 )
121 )
122 or any(recipients.to,
123 .email.domain.valid
124 and any(body.links,
125 strings.icontains(.href_url.url, ..email.email)
126 or any(strings.scan_base64(.href_url.url,
127 format="url",
128 ignore_padding=true
129 ),
130 strings.icontains(., ...email.email)
131 )
132 or any(strings.scan_base64(.href_url.fragment,
133 ignore_padding=true
134 ),
135 strings.icontains(., ...email.email)
136 )
137 )
138 )
139 )
140 )
141 // we've seen advertising "advice/recommendations"
142 or (
143 all(ml.nlu_classifier(body.current_thread.text).topics,
144 .name in ("Advertising and Promotions", "Reminders and Notifications")
145 )
146 // Meta mention
147 and (
148 any(ml.nlu_classifier(body.current_thread.text).entities,
149 .name == "org" and strings.icontains(.text, 'Community Guidelines')
150 )
151 or regex.icontains(body.current_thread.text,
152 '(1\s+(Facebook|Hacker|\bMeta\b)?\s*Way|1601\s+Willow\s+Rd?).*Menlo\s+Park.*CA.*94025'
153 )
154 )
155 and any(ml.nlu_classifier(body.current_thread.text).entities,
156 .name == "urgency"
157 )
158 )
159 or (
160 strings.icontains(body.current_thread.text, "Meta Professional Certificate")
161 and strings.icontains(body.current_thread.text, "Meta & Coursera Team")
162 // Add link validation
163 and any(body.links,
164 strings.icontains(.display_text, "coursera")
165 and .href_url.domain.root_domain != "coursera.org"
166 )
167 )
168 or 2 of (
169 strings.icontains(body.current_thread.text, 'Meta '),
170 strings.icontains(body.current_thread.text, '1602 Willow Road'),
171 strings.icontains(body.current_thread.text, 'Menlo Park, CA 91024'),
172 )
173 )
174 and sender.email.domain.root_domain not in~ (
175 'facebook.com',
176 'facebookmail.com',
177 'eventsatfacebook.com',
178 'facebookenterprise.com',
179 'meta.com',
180 'metamail.com',
181 'instagram.com',
182 'medallia.com',
183 'fbworkmail.com',
184 'workplace.com',
185 'capterra.com', // they mention "Community Guidelines"
186 'facebookblueprint.com',
187 'metaenterprisemail.com',
188 'pigfacebookstore.com.au', // unrelated domain but hitting on facebook
189 'metacompliance.com',
190 'metaprop.com', // unrelated domain but hitting on meta pro
191 'oakley.com', // meta intelligence glasses
192 'facebookuserprivacysettlement.com', // fb settlement website
193 'perceptyx.com', // ai employee engagement
194 'unroll.me', // unroll contains instagram logo
195 'har.com' // facebook ads management
196 )
197 // negate metaenterprise links
198 and not any(headers.reply_to, .email.email == "noreply@facebookmail.com")
199
200 // meta wiki renamer
201 and not (
202 sender.display_name == 'Meta-Wiki'
203 and sender.email.domain.root_domain == 'wikimedia.org'
204 )
205
206 // we dont want emails where all the links go to meta domains
207 and not (
208 (
209 length(body.links) > 1
210 and all(body.links,
211 .href_url.domain.root_domain in (
212 'facebook.com',
213 'instagram.com',
214 'meta.com'
215 )
216 and not strings.istarts_with(.href_url.path, '/share/')
217 )
218 )
219 // too many links
220 or length(body.links) > 20
221 )
222
223 // no previous threads
224 and length(body.previous_threads) == 0
225
226 // negate highly trusted sender domains unless they fail DMARC authentication
227 and (
228 (
229 sender.email.domain.root_domain in $high_trust_sender_root_domains
230 and not headers.auth_summary.dmarc.pass
231 )
232 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
233
234 // salesforce has been abused for meta phishing campaigns repeatedly
235 or sender.email.domain.root_domain == "salesforce.com"
236 )
237attack_types:
238 - "Credential Phishing"
239tactics_and_techniques:
240 - "Impersonation: Brand"
241 - "Lookalike domain"
242 - "Social engineering"
243detection_methods:
244 - "Header analysis"
245 - "Sender analysis"
246id: "e38f1e3b-79be-5a59-b084-24a851daf6b9"