Brand impersonation: Fake Fax
Detects messages containing fax-related language and notification elements from senders outside of known legitimate fax service providers.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Fake Fax"
2description: |
3 Detects messages containing fax-related language and notification elements from senders outside of known legitimate fax service providers.
4references:
5 - "https://www.hoxhunt.com/blog/fax-phishing"
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10 // Subject or sender contains fax
11 and (
12 any([subject.subject, sender.display_name],
13 regex.icontains(.,
14 '\bfax\b',
15 '[ve][[:punct:]]?fax',
16 '[[:punct:]]fax\b',
17 '\bfax[[:punct:]]',
18 'fr[[:punct:]].{0,25}document',
19 'e.?f.?a.?x'
20 )
21 )
22 )
23 and (
24 // body.current_thread.text logic
25 (
26 ( // strong notification terms in either the subject or body.current_thread.text
27 any([subject.subject, body.current_thread.text],
28 strings.icontains(., "New Fax Received")
29 or strings.icontains(., "e-Fax Document")
30 or strings.icontains(., "Fax Status")
31 or strings.icontains(., "Fax ID")
32 or strings.icontains(., "Incoming Fax")
33 or strings.icontains(., "New Fax Document")
34 or strings.istarts_with(., 'Fax message')
35 or regex.icontains(.,
36 '(?:received|have) (a|(?:(.?\d.?))) (?:new )?e?fax'
37 )
38 or regex.icontains(., "to view (th(?:e|is) )?(?:fax|message)")
39 or regex.icontains(.,
40 'transmit(?:ted|ting)?(?:\s+\w+){0,2}\s+(?:fax|facsimile)',
41 '(?:fax|facsimile)\s+(?:\s+\w+){0,2}transmit(?:ted|ting)?',
42 )
43 )
44 and (
45 // combined with above, we should have very high confidence this is a fax message
46 (
47 // date
48 strings.icontains(body.current_thread.text, "Date:")
49 or strings.icontains(body.current_thread.text, "Time Sent:")
50 or strings.icontains(body.current_thread.text, "Time Received:")
51 or strings.icontains(body.current_thread.text, "Received")
52 // page count
53 or regex.icontains(body.current_thread.text, "Num(ber)? of Pages?")
54 or strings.icontains(body.current_thread.text, "Type: PDF")
55 )
56 // commonly abused brands
57 or (
58 strings.icontains(body.current_thread.text,
59 "eFax is a registered trademark of Consensus"
60 )
61 or strings.icontains(body.current_thread.text, "RingCentral, Inc")
62 )
63 // there is a link with the display text of some CTA
64 or any(body.links,
65 strings.icontains(.display_text, "open fax")
66 // review document, view document review and sign document
67 or regex.icontains(.display_text,
68 "(?:re)?view (?:(?:&|and) sign )?(?:complete )?document"
69 )
70 or strings.icontains(.display_text, "Open document")
71 )
72 )
73 )
74 // attachment logic
75 or (
76 // the body.current_thread.text length is very short (probably just a warning banner)
77 // and the attachment isn't used in the body of the message
78 length(body.current_thread.text) < 300
79 // and there are attachments
80 and 0 < length(attachments) < 5
81 // the attachments shouldn't be images which are used in the body of the html
82 and any(attachments,
83 strings.icontains(.file_name, 'fax')
84 or (
85 // or they are used in the body and OCR on them contains fax wording
86 // the image is used in the HTML body
87 .file_type in $file_types_images
88 and (
89 any(regex.extract(.content_id, '^\<(.*)\>$'),
90 any(.groups,
91 strings.icontains(body.html.raw,
92 strings.concat('src="cid:', ., '"')
93 )
94 )
95 )
96 or strings.icontains(body.html.raw, .content_id)
97 )
98 and (
99 // and that image contains fax wording
100 strings.icontains(beta.ocr(.).text, "New Fax Received")
101 or strings.icontains(beta.ocr(.).text, "New Fax Document")
102 or regex.icontains(beta.ocr(.).text,
103 "(?:received|have) a (?:new )?fax"
104 )
105 or regex.icontains(beta.ocr(.).text,
106 "to view (th(?:e|is) )?(?:fax|message)"
107 )
108 or regex.icontains(beta.ocr(.).text,
109 'transmit(?:ted|ting)?(?:\s+\w+){0,2}\s+(?:fax|facsimile)',
110 '(?:fax|facsimile)\s+(?:\s+\w+){0,2}transmit(?:ted|ting)?',
111 )
112 )
113 )
114 )
115 )
116 )
117 )
118 // negate known fax mailers
119 and not (
120 sender.email.domain.root_domain in (
121 "faxage.com",
122 'fax2mail.com',
123 'ringcentral.com',
124 'ringcentral.biz',
125 'avaya.com',
126 'egoldfax.com',
127 'efax.com',
128 'hellofax.com',
129 'mfax.io',
130 'goto.com',
131 'faxmessage.net',
132 'fuze.com',
133 'retarus.net',
134 'srfax.com',
135 'myfax.com',
136 '8x8.com',
137 'zoom.us',
138 'faxhd.com',
139 'humblefax.com',
140 'bridge.insure',
141 'telecomsvc.com'
142 )
143 and headers.auth_summary.dmarc.pass
144 )
145
146attack_types:
147 - "Credential Phishing"
148tactics_and_techniques:
149 - "Impersonation: Brand"
150 - "Image as content"
151 - "Free file host"
152 - "Free subdomain host"
153 - "Social engineering"
154detection_methods:
155 - "Computer Vision"
156 - "Content analysis"
157 - "Optical Character Recognition"
158 - "Sender analysis"
159 - "URL analysis"
160id: "2a96b90a-64bf-52ad-b4e4-6f1e8c1dcba6"