Brand impersonation: Fake fax
Detects the presence of known brand logos, mentions of "fax" in the subject or sender's display name, and a low reputation link from a first-time sender.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Fake fax"
2description: |
3 Detects the presence of known brand logos, mentions of "fax" in the subject or sender's display name, and a low reputation link from a first-time sender.
4references:
5 - "https://www.hoxhunt.com/blog/fax-phishing"
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10 and 0 < length(body.links) < 5
11 and sender.email.domain.root_domain not in $org_domains
12 and any(body.links,
13 (
14 .href_url.domain.domain not in $tranco_1m
15 or .href_url.domain.domain in $free_file_hosts
16 or .href_url.domain.root_domain in $free_subdomain_hosts
17 or .href_url.domain.domain in $url_shorteners
18 or
19
20 // mass mailer link, masks the actual URL
21 .href_url.domain.root_domain in ("hubspotlinks.com", "mandrillapp.com", "sendgrid.net", )
22 )
23 )
24
25 // any brand logo detected
26 and (
27 any(attachments,
28 .file_type in $file_types_images and any(ml.logo_detect(.).brands, .name is not null)
29 )
30 or any(ml.logo_detect(beta.message_screenshot()).brands, .name is not null)
31 )
32
33 // Subject or sender contains fax
34 and (strings.icontains(subject.subject, "fax") or strings.icontains(sender.display_name, "fax"))
35
36 // suspicious content
37 and (
38 strings.ilike(body.plain.raw, "*fax*")
39 or (
40 any(attachments,
41 .file_type in $file_types_images
42 and any(file.explode(.), strings.ilike(.scan.ocr.raw, "*fax*"))
43 )
44 )
45 )
46
47 // first time sender
48 and (
49 (
50 sender.email.domain.root_domain in $free_email_providers
51 and sender.email.email not in $sender_emails
52 )
53 or (
54 sender.email.domain.root_domain not in $free_email_providers
55 and sender.email.domain.domain not in $sender_domains
56 )
57 )
58attack_types:
59 - "Credential Phishing"
60tactics_and_techniques:
61 - "Impersonation: Brand"
62 - "Image as content"
63 - "Free file host"
64 - "Free subdomain host"
65 - "Social engineering"
66detection_methods:
67 - "Computer Vision"
68 - "Content analysis"
69 - "Optical Character Recognition"
70 - "Sender analysis"
71 - "URL analysis"
72id: "2a96b90a-64bf-52ad-b4e4-6f1e8c1dcba6"