Brand impersonation: Fake Fax
Detects messages containing fax-related language and notification elements from senders outside of known legitimate fax service providers.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Fake Fax"
2description: |
3 Detects messages containing fax-related language and notification elements from senders outside of known legitimate fax service providers.
4references:
5 - "https://www.hoxhunt.com/blog/fax-phishing"
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10
11 // not a reply/fwd
12 and length(headers.references) == 0
13 and headers.in_reply_to is null
14
15 // Subject or sender contains fax
16 and (
17 any([subject.subject, sender.display_name],
18 regex.icontains(.,
19 '\bfax\b',
20 '[ve][[:punct:]]?fax',
21 '[[:punct:]]fax\b',
22 '\bfax[[:punct:]]',
23 'fr[[:punct:]].{0,25}document'
24 )
25 )
26 )
27 and (
28 // body.current_thread.text logic
29 (
30 ( // strong notification terms in either the subject or body.current_thread.text
31 any([subject.subject, body.current_thread.text],
32 strings.icontains(., "New Fax Received")
33 or strings.icontains(., "e-Fax Document")
34 or strings.icontains(., "Fax Status")
35 or strings.icontains(., "Fax ID")
36 or strings.icontains(., "New Fax Document")
37 or regex.icontains(., '(?:received|have) (a|(?:(.?\d.?))) (?:new )?e?fax')
38 or regex.icontains(., "to view (th(?:e|is) )?(?:fax|message)")
39 or regex.icontains(.,
40 'transmit(?:ted|ting)?(?:\s+\w+){0,2}\s+(?:fax|facsimile)',
41 '(?:fax|facsimile)\s+(?:\s+\w+){0,2}transmit(?:ted|ting)?',
42 )
43 )
44 and (
45 // combined with above, we should have very high confidence this is a fax message
46 (
47 // date
48 strings.icontains(body.current_thread.text, "Date:")
49 or strings.icontains(body.current_thread.text, "Time Sent:")
50 or strings.icontains(body.current_thread.text, "Time Received:")
51 or strings.icontains(body.current_thread.text, "Received")
52 // page count
53 or regex.icontains(body.current_thread.text, "Num(ber)? of Pages?")
54 or strings.icontains(body.current_thread.text, "Type: PDF")
55 )
56 // commonly abused brands
57 or (
58 strings.icontains(body.current_thread.text,
59 "eFax is a registered trademark of Consensus"
60 )
61 or strings.icontains(body.current_thread.text, "RingCentral, Inc")
62 )
63 // there is a link with the display text of some CTA
64 or any(body.links,
65 strings.icontains(.display_text, "open fax")
66 // review document, view document review and sign document
67 or regex.icontains(.display_text,
68 "(?:re)?view (?:(?:&|and) sign )?(?:complete )?document"
69 )
70 or strings.icontains(.display_text, "Open document")
71 )
72 )
73 )
74 // attachment logic
75 or (
76 // the body.current_thread.text length is very short (probably just a warning banner)
77 // and the attachment isn't used in the body of the message
78 length(body.current_thread.text) < 300
79 // and there are attachments
80 and 0 < length(attachments) < 5
81 // the attachments shouldn't be images which are used in the body of the html
82 and any(attachments,
83 strings.icontains(.file_name, 'fax')
84 or (
85 // or they are used in the body and OCR on them contains fax wording
86 // the image is used in the HTML body
87 .file_type in $file_types_images
88 and
89 (
90 any(regex.extract(.content_id, '^\<(.*)\>$'),
91 any(.groups,
92 strings.icontains(body.html.raw,
93 strings.concat('src="cid:',
94 .,
95 '"'
96 )
97 )
98 )
99 )
100 or strings.icontains(body.html.raw, .content_id)
101 )
102 and (
103 // and that image contains fax wording
104 strings.icontains(beta.ocr(.).text, "New Fax Received")
105 or strings.icontains(beta.ocr(.).text, "New Fax Document")
106 or regex.icontains(beta.ocr(.).text,
107 "(?:received|have) a (?:new )?fax"
108 )
109 or regex.icontains(beta.ocr(.).text,
110 "to view (th(?:e|is) )?(?:fax|message)"
111 )
112 or regex.icontains(beta.ocr(.).text,
113 'transmit(?:ted|ting)?(?:\s+\w+){0,2}\s+(?:fax|facsimile)',
114 '(?:fax|facsimile)\s+(?:\s+\w+){0,2}transmit(?:ted|ting)?',
115 )
116 )
117 )
118 )
119 )
120 )
121 )
122 // negate known fax mailers
123 and not (
124 sender.email.domain.root_domain in (
125 "faxage.com",
126 'fax2mail.com',
127 'ringcentral.com',
128 'avaya.com',
129 'egoldfax.com',
130 'efax.com',
131 'hellofax.com',
132 'mfax.io',
133 'goto.com',
134 'faxmessage.net',
135 'fuze.com',
136 'retarus.net',
137 'srfax.com',
138 'myfax.com'
139 )
140 and headers.auth_summary.dmarc.pass
141 )
142attack_types:
143 - "Credential Phishing"
144tactics_and_techniques:
145 - "Impersonation: Brand"
146 - "Image as content"
147 - "Free file host"
148 - "Free subdomain host"
149 - "Social engineering"
150detection_methods:
151 - "Computer Vision"
152 - "Content analysis"
153 - "Optical Character Recognition"
154 - "Sender analysis"
155 - "URL analysis"
156id: "2a96b90a-64bf-52ad-b4e4-6f1e8c1dcba6"