Brand impersonation: Fake fax

calendar Feb 23, 2024  ·
Share on: linkedin copy

Detects the presence of known brand logos, mentions of "fax" in the subject or sender's display name, and a low reputation link from an untrusted sender.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Fake fax"
 2description: |
 3    Detects the presence of known brand logos, mentions of "fax" in the subject or sender's display name, and a low reputation link from an untrusted sender.
 4references:
 5  - "https://www.hoxhunt.com/blog/fax-phishing"
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and 0 < length(body.links) < 5
11  and sender.email.domain.root_domain not in $org_domains
12  and any(body.links,
13          (
14            .href_url.domain.domain not in $tranco_1m
15            or .href_url.domain.domain in $free_file_hosts
16            or .href_url.domain.root_domain in $free_file_hosts
17            or .href_url.domain.root_domain in $free_subdomain_hosts
18            or .href_url.domain.domain in $url_shorteners
19            or 
20  
21            // mass mailer link, masks the actual URL
22            .href_url.domain.root_domain in (
23              "hubspotlinks.com",
24              "mandrillapp.com",
25              "sendgrid.net"
26            )
27          )
28  )
29  
30  // any brand logo detected
31  and (
32    any(attachments,
33        .file_type in $file_types_images
34        and any(ml.logo_detect(.).brands, .name is not null)
35    )
36    or any(ml.logo_detect(beta.message_screenshot()).brands, .name is not null)
37  )
38  
39  // Subject or sender contains fax
40  and (
41    strings.icontains(subject.subject, "fax")
42    or strings.icontains(sender.display_name, "fax")
43  )
44  
45  // suspicious content
46  and (
47    strings.ilike(body.plain.raw, "*fax*")
48    or (
49      any(attachments,
50          .file_type in $file_types_images
51          and any(file.explode(.), strings.ilike(.scan.ocr.raw, "*fax*"))
52      )
53    )
54  )
55  
56  // negate known fax mailers
57  and sender.email.domain.root_domain not in ("faxage.com")
58  and (
59    profile.by_sender().prevalence in ("new", "outlier")
60    or (
61      profile.by_sender().any_messages_malicious_or_spam
62      and not profile.by_sender().any_false_positives
63    )
64  )  
65attack_types:
66  - "Credential Phishing"
67tactics_and_techniques:
68  - "Impersonation: Brand"
69  - "Image as content"
70  - "Free file host"
71  - "Free subdomain host"
72  - "Social engineering"
73detection_methods:
74  - "Computer Vision"
75  - "Content analysis"
76  - "Optical Character Recognition"
77  - "Sender analysis"
78  - "URL analysis"
79id: "2a96b90a-64bf-52ad-b4e4-6f1e8c1dcba6"
to-top