Brand Impersonation: Fake Fax

Detects messages containing fax-related language and notification elements from senders outside of known legitimate fax service providers.

Sublime rule (View on GitHub)

  1name: "Brand Impersonation: Fake Fax"
  2description: |
  3    Detects messages containing fax-related language and notification elements from senders outside of known legitimate fax service providers.
  4references:
  5  - "https://www.hoxhunt.com/blog/fax-phishing"
  6type: "rule"
  7severity: "medium"
  8source: |
  9  type.inbound
 10
 11  // not a reply/fwd
 12  and length(headers.references) == 0 
 13  and headers.in_reply_to is null
 14
 15  // Subject or sender contains fax
 16  and (
 17    any([subject.subject, sender.display_name],
 18        regex.icontains(.,
 19                        '\bfax\b',
 20                        '[ve][[:punct:]]?fax',
 21                        '[[:punct:]]fax\b',
 22                        '\bfax[[:punct:]]'
 23        )
 24    )
 25  )
 26  and (
 27    // body.current_thread.text logic
 28    (
 29      ( // strong notification terms in either the subject or body.current_thread.text
 30        any([subject.subject, body.current_thread.text],
 31            strings.icontains(., "New Fax Received")
 32            or strings.icontains(., "New Fax Document")
 33            or regex.icontains(., "(?:received|have) a (?:new )?fax")
 34            or regex.icontains(., "to view (th(?:e|is) )?(?:fax|message)")
 35            or regex.icontains(.,
 36                               'transmit(?:ted|ting)?(?:\s+\w+){0,2}\s+(?:fax|facsimile)',
 37                               '(?:fax|facsimile)\s+(?:\s+\w+){0,2}transmit(?:ted|ting)?',
 38            )
 39        )
 40        and (
 41          // combined with above, we should have very high confidence this is a fax message
 42          (
 43            // date
 44            strings.icontains(body.current_thread.text, "Date:")
 45            or strings.icontains(body.current_thread.text, "Time Sent:")
 46            or strings.icontains(body.current_thread.text, "Time Received:")
 47            or strings.icontains(body.current_thread.text, "Received")
 48            // page count
 49            or regex.icontains(body.current_thread.text, "Num(ber)? of Pages?")
 50            or strings.icontains(body.current_thread.text, "Type: PDF")
 51          )
 52          // commonly abused brands
 53          or (
 54            strings.icontains(body.current_thread.text,
 55                              "eFax is a registered trademark of Consensus"
 56            )
 57            or strings.icontains(body.current_thread.text, "RingCentral, Inc")
 58          )
 59          // there is a link with the display text of some CTA
 60          or any(body.links,
 61                 strings.icontains(.display_text, "open fax")
 62                 // review document, view document review and sign document
 63                 or regex.icontains(.display_text,
 64                                    "(?:re)?view (?:(?:&|and) sign )?document"
 65                 )
 66                 or strings.icontains(.display_text, "Open document")
 67          )
 68        )
 69      )
 70      // attachment logic
 71      or (
 72        // the body.current_thread.text length is very short (probably just a warning banner)
 73        // and the attacment isn't used in the body of the message
 74        // https://platform.sublime.security/messages/95f01a3c68655e685d90b62b8636d2f53bb4148c49a52391b59a083637afd0f2
 75        length(body.current_thread.text) < 300
 76        // and there are attachments
 77        and 0 < length(attachments) < 5
 78        // the attachments shouldn't be images which are used in the body of the html
 79        and any(attachments,
 80                strings.icontains(.file_name, 'fax')
 81                or (
 82  
 83                  // or they are used in the body and OCR on them contains fax wording
 84                  // https://platform.sublime.security/messages/07bdeda6a045ade4a1669b263d3f506ea4c40a8559148f2ffff600d6140bac90
 85  
 86                  // the image is used in the HTML body
 87                  .file_type in $file_types_images
 88                  and any(regex.extract(.content_id, '^\<(.*)\>$'),
 89                          any(.groups,
 90                              strings.icontains(body.html.raw,
 91                                                strings.concat('src="cid:',
 92                                                               .,
 93                                                               '"'
 94                                                )
 95                              )
 96                          )
 97                  )
 98                  and (
 99                    // and that image contains fax wording
100                    strings.icontains(beta.ocr(.).text, "New Fax Received")
101                    or strings.icontains(beta.ocr(.).text, "New Fax Document")
102                    or regex.icontains(beta.ocr(.).text,
103                                       "(?:received|have) a (?:new )?fax"
104                    )
105                    or regex.icontains(beta.ocr(.).text,
106                                       "to view (th(?:e|is) )?(?:fax|message)"
107                    )
108                    or regex.icontains(beta.ocr(.).text,
109                                       'transmit(?:ted|ting)?(?:\s+\w+){0,2}\s+(?:fax|facsimile)',
110                                       '(?:fax|facsimile)\s+(?:\s+\w+){0,2}transmit(?:ted|ting)?',
111                    )
112                  )
113                )
114        )
115      )
116    )
117  )
118  // negate known fax mailers
119  and not (
120    sender.email.domain.root_domain in (
121      "faxage.com",
122      'fax2mail.com',
123      'ringcentral.com',
124      'avaya.com',
125      'egoldfax.com',
126      'efax.com',
127      'hellofax.com',
128      'mfax.io',
129      'goto.com',
130      'faxmessage.net',
131      'fuze.com', // https://platform.sublime.security/messages/79f322c865c73d533636bcb51b76cf42060da684c6cee42a849a5a7c82783e2c
132      'retarus.net', // https://platform.sublime.security/messages/8f3a8482b241f2310eaf6a5a21e25c3bcb2b86db3a1caebdc281f11b1deae537
133      'srfax.com', // https://platform.sublime.security/messages/1cda1df80bad12dd59b0052fd5acc939322f21b1451870ed719d31e4ac887167
134      'myfax.com', // https://platform.sublime.security/messages/455b8e1814386b263148c5eba938954adb156270c66eb0b1ac85a1472a55334c
135    )
136    and headers.auth_summary.dmarc.pass
137  )  
138attack_types:
139  - "Credential Phishing"
140tactics_and_techniques:
141  - "Impersonation: Brand"
142  - "Image as content"
143  - "Free file host"
144  - "Free subdomain host"
145  - "Social engineering"
146detection_methods:
147  - "Computer Vision"
148  - "Content analysis"
149  - "Optical Character Recognition"
150  - "Sender analysis"
151  - "URL analysis"
152id: "2a96b90a-64bf-52ad-b4e4-6f1e8c1dcba6"
to-top