Brand impersonation: Fake Fax

Detects messages containing fax-related language and notification elements from senders outside of known legitimate fax service providers.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Fake Fax"
  2description: |
  3    Detects messages containing fax-related language and notification elements from senders outside of known legitimate fax service providers.
  4references:
  5  - "https://www.hoxhunt.com/blog/fax-phishing"
  6type: "rule"
  7severity: "medium"
  8source: |
  9  type.inbound
 10  // Subject or sender contains fax
 11  and (
 12    any([subject.subject, sender.display_name],
 13        regex.icontains(.,
 14                        '\bfax\b',
 15                        '[ve][[:punct:]]?fax',
 16                        '[[:punct:]]fax\b',
 17                        '\bfax[[:punct:]]',
 18                        'fr[[:punct:]].{0,25}document',
 19                        'e.?f.?a.?x'
 20        )
 21    )
 22  )
 23  and (
 24    // body.current_thread.text logic
 25    (
 26      ( // strong notification terms in either the subject or body.current_thread.text
 27        any([subject.subject, body.current_thread.text],
 28            strings.icontains(., "New Fax Received")
 29            or strings.icontains(., "e-Fax Document")
 30            or strings.icontains(., "Fax Status")
 31            or strings.icontains(., "Fax ID")
 32            or strings.icontains(., "Fax Message Delivered")
 33            or strings.icontains(., "Incoming Fax")
 34            or strings.icontains(., "New Fax Document")
 35            or strings.istarts_with(., 'Fax message')
 36            or regex.icontains(.,
 37                               '(?:received|have) (a|(?:(.?\d.?))) (?:new )?e?fax'
 38            )
 39            or regex.icontains(., "to view (th(?:e|is) )?(?:fax|message)")
 40            or regex.icontains(.,
 41                               'transmit(?:ted|ting)?(?:\s+\w+){0,2}\s+(?:fax|facsimile)',
 42                               '(?:fax|facsimile)\s+(?:\s+\w+){0,2}transmit(?:ted|ting)?',
 43            )
 44        )
 45        and (
 46          // combined with above, we should have very high confidence this is a fax message
 47          (
 48            // date
 49            strings.icontains(body.current_thread.text, "Date:")
 50            or strings.icontains(body.current_thread.text, "Time Sent:")
 51            or strings.icontains(body.current_thread.text, "Time Received:")
 52            or strings.icontains(body.current_thread.text, "Received")
 53            // page count
 54            or regex.icontains(body.current_thread.text, "Num(ber)? of Pages?")
 55            or strings.icontains(body.current_thread.text, "Type: PDF")
 56          )
 57          // commonly abused brands
 58          or (
 59            strings.icontains(body.current_thread.text,
 60                              "eFax is a registered trademark of Consensus"
 61            )
 62            or strings.icontains(body.current_thread.text, "RingCentral, Inc")
 63          )
 64          // there is a link with the display text of some CTA
 65          or any(body.links,
 66                 strings.icontains(.display_text, "open fax")
 67                 // review document, view document review and sign document
 68                 or regex.icontains(.display_text,
 69                                    "(?:re)?view (?:(?:&|and) sign )?(?:complete )?document"
 70                 )
 71                 or strings.icontains(.display_text, "Open document")
 72          )
 73        )
 74      )
 75      // attachment logic
 76      or (
 77        // the body.current_thread.text length is very short (probably just a warning banner)
 78        // and the attachment isn't used in the body of the message
 79        length(body.current_thread.text) < 300
 80        // and there are attachments
 81        and 0 < length(attachments) < 5
 82        // the attachments shouldn't be images which are used in the body of the html
 83        and any(attachments,
 84                strings.icontains(.file_name, 'fax')
 85                or (
 86                  // or they are used in the body and OCR on them contains fax wording
 87                  // the image is used in the HTML body
 88                  .file_type in $file_types_images
 89                  and (
 90                    any(regex.extract(.content_id, '^\<(.*)\>$'),
 91                        any(.groups,
 92                            strings.icontains(body.html.raw,
 93                                              strings.concat('src="cid:', ., '"')
 94                            )
 95                        )
 96                    )
 97                    or strings.icontains(body.html.raw, .content_id)
 98                  )
 99                  and (
100                    // and that image contains fax wording
101                    strings.icontains(beta.ocr(.).text, "New Fax Received")
102                    or strings.icontains(beta.ocr(.).text, "New Fax Document")
103                    or regex.icontains(beta.ocr(.).text,
104                                       "(?:received|have) a (?:new )?fax"
105                    )
106                    or regex.icontains(beta.ocr(.).text,
107                                       "to view (th(?:e|is) )?(?:fax|message)"
108                    )
109                    or regex.icontains(beta.ocr(.).text,
110                                       'transmit(?:ted|ting)?(?:\s+\w+){0,2}\s+(?:fax|facsimile)',
111                                       '(?:fax|facsimile)\s+(?:\s+\w+){0,2}transmit(?:ted|ting)?',
112                    )
113                  )
114                )
115        )
116      )
117    )
118  )
119  // negate known fax mailers
120  and not (
121    sender.email.domain.root_domain in (
122      "faxage.com",
123      'fax2mail.com',
124      'ringcentral.com',
125      'ringcentral.biz',
126      'avaya.com',
127      'egoldfax.com',
128      'efax.com',
129      'hellofax.com',
130      'mfax.io',
131      'goto.com',
132      'faxmessage.net',
133      'fuze.com',
134      'retarus.net',
135      'srfax.com',
136      'myfax.com',
137      '8x8.com',
138      'zoom.us',
139      'faxhd.com',
140      'humblefax.com',
141      'bridge.insure',
142      'telecomsvc.com'
143    )
144    and headers.auth_summary.dmarc.pass
145  )  
146
147attack_types:
148  - "Credential Phishing"
149tactics_and_techniques:
150  - "Impersonation: Brand"
151  - "Image as content"
152  - "Free file host"
153  - "Free subdomain host"
154  - "Social engineering"
155detection_methods:
156  - "Computer Vision"
157  - "Content analysis"
158  - "Optical Character Recognition"
159  - "Sender analysis"
160  - "URL analysis"
161id: "2a96b90a-64bf-52ad-b4e4-6f1e8c1dcba6"
to-top