Brand impersonation: Fake fax

Detects the presence of known brand logos, mentions of "fax" in the subject or sender's display name, and a low reputation link from a first-time sender.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Fake fax"
 2description: |
 3    Detects the presence of known brand logos, mentions of "fax" in the subject or sender's display name, and a low reputation link from a first-time sender.
 4references:
 5  - "https://www.hoxhunt.com/blog/fax-phishing"
 6type: "rule"
 7severity: "medium"
 8source: |
 9  type.inbound
10  and 0 < length(body.links) < 5
11  and sender.email.domain.root_domain not in $org_domains
12  and any(body.links,
13          (
14            .href_url.domain.domain not in $tranco_1m
15            or .href_url.domain.domain in $free_file_hosts
16            or .href_url.domain.root_domain in $free_subdomain_hosts
17            or .href_url.domain.domain in $url_shorteners
18            or 
19
20            // mass mailer link, masks the actual URL
21            .href_url.domain.root_domain in ("hubspotlinks.com", "mandrillapp.com", "sendgrid.net", )
22          )
23  )
24
25  // any brand logo detected
26  and (
27    any(attachments,
28        .file_type in $file_types_images and any(ml.logo_detect(.).brands, .name is not null)
29    )
30    or any(ml.logo_detect(beta.message_screenshot()).brands, .name is not null)
31  )
32
33  // Subject or sender contains fax
34  and (strings.icontains(subject.subject, "fax") or strings.icontains(sender.display_name, "fax"))
35
36  // suspicious content
37  and (
38    strings.ilike(body.plain.raw, "*fax*")
39    or (
40      any(attachments,
41          .file_type in $file_types_images
42          and any(file.explode(.), strings.ilike(.scan.ocr.raw, "*fax*"))
43      )
44    )
45  )
46
47  // first time sender
48  and (
49    (
50      sender.email.domain.root_domain in $free_email_providers
51      and sender.email.email not in $sender_emails
52    )
53    or (
54      sender.email.domain.root_domain not in $free_email_providers
55      and sender.email.domain.domain not in $sender_domains
56    )
57  )  
58attack_types:
59  - "Credential Phishing"
60tactics_and_techniques:
61  - "Impersonation: Brand"
62  - "Image as content"
63  - "Free file host"
64  - "Free subdomain host"
65  - "Social engineering"
66detection_methods:
67  - "Computer Vision"
68  - "Content analysis"
69  - "Optical Character Recognition"
70  - "Sender analysis"
71  - "URL analysis"
72id: "2a96b90a-64bf-52ad-b4e4-6f1e8c1dcba6"
to-top