Brand impersonation: Fake Fax
Detects messages containing fax-related language and notification elements from senders outside of known legitimate fax service providers.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Fake Fax"
2description: |
3 Detects messages containing fax-related language and notification elements from senders outside of known legitimate fax service providers.
4references:
5 - "https://www.hoxhunt.com/blog/fax-phishing"
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10
11 // not a reply/fwd
12 and length(headers.references) == 0
13 and headers.in_reply_to is null
14
15 // Subject or sender contains fax
16 and (
17 any([subject.subject, sender.display_name],
18 regex.icontains(.,
19 '\bfax\b',
20 '[ve][[:punct:]]?fax',
21 '[[:punct:]]fax\b',
22 '\bfax[[:punct:]]'
23 )
24 )
25 )
26 and (
27 // body.current_thread.text logic
28 (
29 ( // strong notification terms in either the subject or body.current_thread.text
30 any([subject.subject, body.current_thread.text],
31 strings.icontains(., "New Fax Received")
32 or strings.icontains(., "e-Fax Document")
33 or strings.icontains(., "Fax Status")
34 or strings.icontains(., "Fax ID")
35 or strings.icontains(., "New Fax Document")
36 or regex.icontains(., "(?:received|have) a (?:new )?fax")
37 or regex.icontains(., "to view (th(?:e|is) )?(?:fax|message)")
38 or regex.icontains(.,
39 'transmit(?:ted|ting)?(?:\s+\w+){0,2}\s+(?:fax|facsimile)',
40 '(?:fax|facsimile)\s+(?:\s+\w+){0,2}transmit(?:ted|ting)?',
41 )
42 )
43 and (
44 // combined with above, we should have very high confidence this is a fax message
45 (
46 // date
47 strings.icontains(body.current_thread.text, "Date:")
48 or strings.icontains(body.current_thread.text, "Time Sent:")
49 or strings.icontains(body.current_thread.text, "Time Received:")
50 or strings.icontains(body.current_thread.text, "Received")
51 // page count
52 or regex.icontains(body.current_thread.text, "Num(ber)? of Pages?")
53 or strings.icontains(body.current_thread.text, "Type: PDF")
54 )
55 // commonly abused brands
56 or (
57 strings.icontains(body.current_thread.text,
58 "eFax is a registered trademark of Consensus"
59 )
60 or strings.icontains(body.current_thread.text, "RingCentral, Inc")
61 )
62 // there is a link with the display text of some CTA
63 or any(body.links,
64 strings.icontains(.display_text, "open fax")
65 // review document, view document review and sign document
66 or regex.icontains(.display_text,
67 "(?:re)?view (?:(?:&|and) sign )?(?:complete )?document"
68 )
69 or strings.icontains(.display_text, "Open document")
70 )
71 )
72 )
73 // attachment logic
74 or (
75 // the body.current_thread.text length is very short (probably just a warning banner)
76 // and the attachment isn't used in the body of the message
77 length(body.current_thread.text) < 300
78 // and there are attachments
79 and 0 < length(attachments) < 5
80 // the attachments shouldn't be images which are used in the body of the html
81 and any(attachments,
82 strings.icontains(.file_name, 'fax')
83 or (
84 // or they are used in the body and OCR on them contains fax wording
85 // the image is used in the HTML body
86 .file_type in $file_types_images
87 and
88 (
89 any(regex.extract(.content_id, '^\<(.*)\>$'),
90 any(.groups,
91 strings.icontains(body.html.raw,
92 strings.concat('src="cid:',
93 .,
94 '"'
95 )
96 )
97 )
98 )
99 or strings.icontains(body.html.raw, .content_id)
100 )
101 and (
102 // and that image contains fax wording
103 strings.icontains(beta.ocr(.).text, "New Fax Received")
104 or strings.icontains(beta.ocr(.).text, "New Fax Document")
105 or regex.icontains(beta.ocr(.).text,
106 "(?:received|have) a (?:new )?fax"
107 )
108 or regex.icontains(beta.ocr(.).text,
109 "to view (th(?:e|is) )?(?:fax|message)"
110 )
111 or regex.icontains(beta.ocr(.).text,
112 'transmit(?:ted|ting)?(?:\s+\w+){0,2}\s+(?:fax|facsimile)',
113 '(?:fax|facsimile)\s+(?:\s+\w+){0,2}transmit(?:ted|ting)?',
114 )
115 )
116 )
117 )
118 )
119 )
120 )
121 // negate known fax mailers
122 and not (
123 sender.email.domain.root_domain in (
124 "faxage.com",
125 'fax2mail.com',
126 'ringcentral.com',
127 'avaya.com',
128 'egoldfax.com',
129 'efax.com',
130 'hellofax.com',
131 'mfax.io',
132 'goto.com',
133 'faxmessage.net',
134 'fuze.com',
135 'retarus.net',
136 'srfax.com',
137 'myfax.com'
138 )
139 and headers.auth_summary.dmarc.pass
140 )
141attack_types:
142 - "Credential Phishing"
143tactics_and_techniques:
144 - "Impersonation: Brand"
145 - "Image as content"
146 - "Free file host"
147 - "Free subdomain host"
148 - "Social engineering"
149detection_methods:
150 - "Computer Vision"
151 - "Content analysis"
152 - "Optical Character Recognition"
153 - "Sender analysis"
154 - "URL analysis"
155id: "2a96b90a-64bf-52ad-b4e4-6f1e8c1dcba6"