Brand Impersonation: Fake Fax
Detects messages containing fax-related language and notification elements from senders outside of known legitimate fax service providers.
Sublime rule (View on GitHub)
1name: "Brand Impersonation: Fake Fax"
2description: |
3 Detects messages containing fax-related language and notification elements from senders outside of known legitimate fax service providers.
4references:
5 - "https://www.hoxhunt.com/blog/fax-phishing"
6type: "rule"
7severity: "medium"
8source: |
9 type.inbound
10
11 // not a reply/fwd
12 and length(headers.references) == 0
13 and headers.in_reply_to is null
14
15 // Subject or sender contains fax
16 and (
17 any([subject.subject, sender.display_name],
18 regex.icontains(.,
19 '\bfax\b',
20 '[ve][[:punct:]]?fax',
21 '[[:punct:]]fax\b',
22 '\bfax[[:punct:]]'
23 )
24 )
25 )
26 and (
27 // body.current_thread.text logic
28 (
29 ( // strong notification terms in either the subject or body.current_thread.text
30 any([subject.subject, body.current_thread.text],
31 strings.icontains(., "New Fax Received")
32 or strings.icontains(., "New Fax Document")
33 or regex.icontains(., "(?:received|have) a (?:new )?fax")
34 or regex.icontains(., "to view (th(?:e|is) )?(?:fax|message)")
35 or regex.icontains(.,
36 'transmit(?:ted|ting)?(?:\s+\w+){0,2}\s+(?:fax|facsimile)',
37 '(?:fax|facsimile)\s+(?:\s+\w+){0,2}transmit(?:ted|ting)?',
38 )
39 )
40 and (
41 // combined with above, we should have very high confidence this is a fax message
42 (
43 // date
44 strings.icontains(body.current_thread.text, "Date:")
45 or strings.icontains(body.current_thread.text, "Time Sent:")
46 or strings.icontains(body.current_thread.text, "Time Received:")
47 or strings.icontains(body.current_thread.text, "Received")
48 // page count
49 or regex.icontains(body.current_thread.text, "Num(ber)? of Pages?")
50 or strings.icontains(body.current_thread.text, "Type: PDF")
51 )
52 // commonly abused brands
53 or (
54 strings.icontains(body.current_thread.text,
55 "eFax is a registered trademark of Consensus"
56 )
57 or strings.icontains(body.current_thread.text, "RingCentral, Inc")
58 )
59 // there is a link with the display text of some CTA
60 or any(body.links,
61 strings.icontains(.display_text, "open fax")
62 // review document, view document review and sign document
63 or regex.icontains(.display_text,
64 "(?:re)?view (?:(?:&|and) sign )?document"
65 )
66 or strings.icontains(.display_text, "Open document")
67 )
68 )
69 )
70 // attachment logic
71 or (
72 // the body.current_thread.text length is very short (probably just a warning banner)
73 // and the attacment isn't used in the body of the message
74 // https://platform.sublime.security/messages/95f01a3c68655e685d90b62b8636d2f53bb4148c49a52391b59a083637afd0f2
75 length(body.current_thread.text) < 300
76 // and there are attachments
77 and 0 < length(attachments) < 5
78 // the attachments shouldn't be images which are used in the body of the html
79 and any(attachments,
80 strings.icontains(.file_name, 'fax')
81 or (
82
83 // or they are used in the body and OCR on them contains fax wording
84 // https://platform.sublime.security/messages/07bdeda6a045ade4a1669b263d3f506ea4c40a8559148f2ffff600d6140bac90
85
86 // the image is used in the HTML body
87 .file_type in $file_types_images
88 and any(regex.extract(.content_id, '^\<(.*)\>$'),
89 any(.groups,
90 strings.icontains(body.html.raw,
91 strings.concat('src="cid:',
92 .,
93 '"'
94 )
95 )
96 )
97 )
98 and (
99 // and that image contains fax wording
100 strings.icontains(beta.ocr(.).text, "New Fax Received")
101 or strings.icontains(beta.ocr(.).text, "New Fax Document")
102 or regex.icontains(beta.ocr(.).text,
103 "(?:received|have) a (?:new )?fax"
104 )
105 or regex.icontains(beta.ocr(.).text,
106 "to view (th(?:e|is) )?(?:fax|message)"
107 )
108 or regex.icontains(beta.ocr(.).text,
109 'transmit(?:ted|ting)?(?:\s+\w+){0,2}\s+(?:fax|facsimile)',
110 '(?:fax|facsimile)\s+(?:\s+\w+){0,2}transmit(?:ted|ting)?',
111 )
112 )
113 )
114 )
115 )
116 )
117 )
118 // negate known fax mailers
119 and not (
120 sender.email.domain.root_domain in (
121 "faxage.com",
122 'fax2mail.com',
123 'ringcentral.com',
124 'avaya.com',
125 'egoldfax.com',
126 'efax.com',
127 'hellofax.com',
128 'mfax.io',
129 'goto.com',
130 'faxmessage.net',
131 'fuze.com', // https://platform.sublime.security/messages/79f322c865c73d533636bcb51b76cf42060da684c6cee42a849a5a7c82783e2c
132 'retarus.net', // https://platform.sublime.security/messages/8f3a8482b241f2310eaf6a5a21e25c3bcb2b86db3a1caebdc281f11b1deae537
133 'srfax.com', // https://platform.sublime.security/messages/1cda1df80bad12dd59b0052fd5acc939322f21b1451870ed719d31e4ac887167
134 'myfax.com', // https://platform.sublime.security/messages/455b8e1814386b263148c5eba938954adb156270c66eb0b1ac85a1472a55334c
135 )
136 and headers.auth_summary.dmarc.pass
137 )
138attack_types:
139 - "Credential Phishing"
140tactics_and_techniques:
141 - "Impersonation: Brand"
142 - "Image as content"
143 - "Free file host"
144 - "Free subdomain host"
145 - "Social engineering"
146detection_methods:
147 - "Computer Vision"
148 - "Content analysis"
149 - "Optical Character Recognition"
150 - "Sender analysis"
151 - "URL analysis"
152id: "2a96b90a-64bf-52ad-b4e4-6f1e8c1dcba6"