Brand impersonation: Fake Fax
Detects messages containing fax-related language and notification elements from senders outside of known legitimate fax service providers.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Fake Fax"
2description: |
3 Detects messages containing fax-related language and notification elements from senders outside of known legitimate fax service providers.
4references:
5 - "https://www.hoxhunt.com/blog/fax-phishing"
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10 // Subject or sender contains fax
11 and (
12 any([subject.subject, sender.display_name],
13 regex.icontains(.,
14 '\bfax\b',
15 '[ve][[:punct:]]?fax',
16 '[[:punct:]]fax\b',
17 '\bfax[[:punct:]]',
18 'fr[[:punct:]].{0,25}document'
19 )
20 )
21 )
22 and (
23 // body.current_thread.text logic
24 (
25 ( // strong notification terms in either the subject or body.current_thread.text
26 any([subject.subject, body.current_thread.text],
27 strings.icontains(., "New Fax Received")
28 or strings.icontains(., "e-Fax Document")
29 or strings.icontains(., "Fax Status")
30 or strings.icontains(., "Fax ID")
31 or strings.icontains(., "New Fax Document")
32 or strings.istarts_with(., 'Fax message')
33 or regex.icontains(.,
34 '(?:received|have) (a|(?:(.?\d.?))) (?:new )?e?fax'
35 )
36 or regex.icontains(., "to view (th(?:e|is) )?(?:fax|message)")
37 or regex.icontains(.,
38 'transmit(?:ted|ting)?(?:\s+\w+){0,2}\s+(?:fax|facsimile)',
39 '(?:fax|facsimile)\s+(?:\s+\w+){0,2}transmit(?:ted|ting)?',
40 )
41 )
42 and (
43 // combined with above, we should have very high confidence this is a fax message
44 (
45 // date
46 strings.icontains(body.current_thread.text, "Date:")
47 or strings.icontains(body.current_thread.text, "Time Sent:")
48 or strings.icontains(body.current_thread.text, "Time Received:")
49 or strings.icontains(body.current_thread.text, "Received")
50 // page count
51 or regex.icontains(body.current_thread.text, "Num(ber)? of Pages?")
52 or strings.icontains(body.current_thread.text, "Type: PDF")
53 )
54 // commonly abused brands
55 or (
56 strings.icontains(body.current_thread.text,
57 "eFax is a registered trademark of Consensus"
58 )
59 or strings.icontains(body.current_thread.text, "RingCentral, Inc")
60 )
61 // there is a link with the display text of some CTA
62 or any(body.links,
63 strings.icontains(.display_text, "open fax")
64 // review document, view document review and sign document
65 or regex.icontains(.display_text,
66 "(?:re)?view (?:(?:&|and) sign )?(?:complete )?document"
67 )
68 or strings.icontains(.display_text, "Open document")
69 )
70 )
71 )
72 // attachment logic
73 or (
74 // the body.current_thread.text length is very short (probably just a warning banner)
75 // and the attachment isn't used in the body of the message
76 length(body.current_thread.text) < 300
77 // and there are attachments
78 and 0 < length(attachments) < 5
79 // the attachments shouldn't be images which are used in the body of the html
80 and any(attachments,
81 strings.icontains(.file_name, 'fax')
82 or (
83 // or they are used in the body and OCR on them contains fax wording
84 // the image is used in the HTML body
85 .file_type in $file_types_images
86 and (
87 any(regex.extract(.content_id, '^\<(.*)\>$'),
88 any(.groups,
89 strings.icontains(body.html.raw,
90 strings.concat('src="cid:', ., '"')
91 )
92 )
93 )
94 or strings.icontains(body.html.raw, .content_id)
95 )
96 and (
97 // and that image contains fax wording
98 strings.icontains(beta.ocr(.).text, "New Fax Received")
99 or strings.icontains(beta.ocr(.).text, "New Fax Document")
100 or regex.icontains(beta.ocr(.).text,
101 "(?:received|have) a (?:new )?fax"
102 )
103 or regex.icontains(beta.ocr(.).text,
104 "to view (th(?:e|is) )?(?:fax|message)"
105 )
106 or regex.icontains(beta.ocr(.).text,
107 'transmit(?:ted|ting)?(?:\s+\w+){0,2}\s+(?:fax|facsimile)',
108 '(?:fax|facsimile)\s+(?:\s+\w+){0,2}transmit(?:ted|ting)?',
109 )
110 )
111 )
112 )
113 )
114 )
115 )
116 // negate known fax mailers
117 and not (
118 sender.email.domain.root_domain in (
119 "faxage.com",
120 'fax2mail.com',
121 'ringcentral.com',
122 'ringcentral.biz',
123 'avaya.com',
124 'egoldfax.com',
125 'efax.com',
126 'hellofax.com',
127 'mfax.io',
128 'goto.com',
129 'faxmessage.net',
130 'fuze.com',
131 'retarus.net',
132 'srfax.com',
133 'myfax.com',
134 '8x8.com',
135 'zoom.us',
136 'faxhd.com',
137 'humblefax.com',
138 'bridge.insure',
139 'telecomsvc.com'
140 )
141 and headers.auth_summary.dmarc.pass
142 )
143
144attack_types:
145 - "Credential Phishing"
146tactics_and_techniques:
147 - "Impersonation: Brand"
148 - "Image as content"
149 - "Free file host"
150 - "Free subdomain host"
151 - "Social engineering"
152detection_methods:
153 - "Computer Vision"
154 - "Content analysis"
155 - "Optical Character Recognition"
156 - "Sender analysis"
157 - "URL analysis"
158id: "2a96b90a-64bf-52ad-b4e4-6f1e8c1dcba6"