Brand impersonation: Fake Fax
Detects messages containing fax-related language and notification elements from senders outside of known legitimate fax service providers.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Fake Fax"
2description: |
3 Detects messages containing fax-related language and notification elements from senders outside of known legitimate fax service providers.
4references:
5 - "https://www.hoxhunt.com/blog/fax-phishing"
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10 // Subject or sender contains fax
11 and (
12 any([subject.subject, sender.display_name],
13 regex.icontains(.,
14 '\bfax\b',
15 '[ve][[:punct:]]?fax',
16 '[[:punct:]]fax\b',
17 '\bfax[[:punct:]]',
18 'fr[[:punct:]].{0,25}document',
19 'e.?f.?a.?x'
20 )
21 )
22 )
23 and (
24 // body.current_thread.text logic
25 (
26 ( // strong notification terms in either the subject or body.current_thread.text
27 any([subject.subject, body.current_thread.text],
28 strings.icontains(., "New Fax Received")
29 or strings.icontains(., "e-Fax Document")
30 or strings.icontains(., "Fax Status")
31 or strings.icontains(., "Fax ID")
32 or strings.icontains(., "Fax Message Delivered")
33 or strings.icontains(., "Incoming Fax")
34 or strings.icontains(., "New Fax Document")
35 or strings.istarts_with(., 'Fax message')
36 or regex.icontains(.,
37 '(?:received|have) (a|(?:(.?\d.?))) (?:new )?e?fax'
38 )
39 or regex.icontains(., "to view (th(?:e|is) )?(?:fax|message)")
40 or regex.icontains(.,
41 'transmit(?:ted|ting)?(?:\s+\w+){0,2}\s+(?:fax|facsimile)',
42 '(?:fax|facsimile)\s+(?:\s+\w+){0,2}transmit(?:ted|ting)?',
43 )
44 )
45 and (
46 // combined with above, we should have very high confidence this is a fax message
47 (
48 // date
49 strings.icontains(body.current_thread.text, "Date:")
50 or strings.icontains(body.current_thread.text, "Time Sent:")
51 or strings.icontains(body.current_thread.text, "Time Received:")
52 or strings.icontains(body.current_thread.text, "Received")
53 // page count
54 or regex.icontains(body.current_thread.text, "Num(ber)? of Pages?")
55 or strings.icontains(body.current_thread.text, "Type: PDF")
56 )
57 // commonly abused brands
58 or (
59 strings.icontains(body.current_thread.text,
60 "eFax is a registered trademark of Consensus"
61 )
62 or strings.icontains(body.current_thread.text, "RingCentral, Inc")
63 )
64 // there is a link with the display text of some CTA
65 or any(body.links,
66 strings.icontains(.display_text, "open fax")
67 // review document, view document review and sign document
68 or regex.icontains(.display_text,
69 "(?:re)?view (?:(?:&|and) sign )?(?:complete )?document"
70 )
71 or strings.icontains(.display_text, "Open document")
72 )
73 )
74 )
75 // attachment logic
76 or (
77 // the body.current_thread.text length is very short (probably just a warning banner)
78 // and the attachment isn't used in the body of the message
79 length(body.current_thread.text) < 300
80 // and there are attachments
81 and 0 < length(attachments) < 5
82 // the attachments shouldn't be images which are used in the body of the html
83 and any(attachments,
84 strings.icontains(.file_name, 'fax')
85 or (
86 // or they are used in the body and OCR on them contains fax wording
87 // the image is used in the HTML body
88 .file_type in $file_types_images
89 and (
90 any(regex.extract(.content_id, '^\<(.*)\>$'),
91 any(.groups,
92 strings.icontains(body.html.raw,
93 strings.concat('src="cid:', ., '"')
94 )
95 )
96 )
97 or strings.icontains(body.html.raw, .content_id)
98 )
99 and (
100 // and that image contains fax wording
101 strings.icontains(beta.ocr(.).text, "New Fax Received")
102 or strings.icontains(beta.ocr(.).text, "New Fax Document")
103 or regex.icontains(beta.ocr(.).text,
104 "(?:received|have) a (?:new )?fax"
105 )
106 or regex.icontains(beta.ocr(.).text,
107 "to view (th(?:e|is) )?(?:fax|message)"
108 )
109 or regex.icontains(beta.ocr(.).text,
110 'transmit(?:ted|ting)?(?:\s+\w+){0,2}\s+(?:fax|facsimile)',
111 '(?:fax|facsimile)\s+(?:\s+\w+){0,2}transmit(?:ted|ting)?',
112 )
113 )
114 )
115 )
116 )
117 )
118 )
119 // negate known fax mailers
120 and not (
121 sender.email.domain.root_domain in (
122 "faxage.com",
123 'fax2mail.com',
124 'ringcentral.com',
125 'ringcentral.biz',
126 'avaya.com',
127 'egoldfax.com',
128 'efax.com',
129 'hellofax.com',
130 'mfax.io',
131 'goto.com',
132 'faxmessage.net',
133 'fuze.com',
134 'retarus.net',
135 'srfax.com',
136 'myfax.com',
137 '8x8.com',
138 'zoom.us',
139 'faxhd.com',
140 'humblefax.com',
141 'bridge.insure',
142 'telecomsvc.com'
143 )
144 and headers.auth_summary.dmarc.pass
145 )
146
147attack_types:
148 - "Credential Phishing"
149tactics_and_techniques:
150 - "Impersonation: Brand"
151 - "Image as content"
152 - "Free file host"
153 - "Free subdomain host"
154 - "Social engineering"
155detection_methods:
156 - "Computer Vision"
157 - "Content analysis"
158 - "Optical Character Recognition"
159 - "Sender analysis"
160 - "URL analysis"
161id: "2a96b90a-64bf-52ad-b4e4-6f1e8c1dcba6"