Service abuse: Facebook business with action required subject

 1name: "Service abuse: Facebook business with action required subject"
 2description: "Detects messages from the Facebook business domain containing 'action required' in the subject line, commonly used to create urgency in impersonation attacks."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    sender.email.domain.root_domain == "facebook.com"
 9    or sender.email.domain.root_domain == "facebookmail.com"
10  )
11  and 3 of (
12    strings.icontains(subject.subject, "Action required"),
13    strings.icontains(subject.subject, "invited to join"),
14    strings.icontains(body.current_thread.text, "You've been invited"),
15    strings.icontains(body.current_thread.text, "You're invited"),
16    strings.icontains(body.current_thread.text,
17                      "not part of or affiliated with Meta"
18    )
19  )
20  and (
21    // and the link is recently registered
22    any(body.links, network.whois(.href_url.domain).days_old <= 30)
23    or any(body.links,
24           // if the link is still active, check if it's cred theft
25           any(ml.nlu_classifier(beta.ocr(ml.link_analysis(.).screenshot).text).intents,
26               .name == "cred_theft" and .confidence != "low"
27           )
28    )
29    // or look for the legit Meta footer address
30    or strings.icontains(body.current_thread.text,
31                         '1 Meta Way, Menlo Park, CA 94025'
32    )
33  )  
34tags:
35 - "Attack surface reduction"
36attack_types:
37  - "Credential Phishing"
38tactics_and_techniques:
39  - "Impersonation: Brand"
40  - "Social engineering"
41detection_methods:
42  - "Content analysis"
43  - "Sender analysis"
44id: "64297d2f-a5bd-5336-8db7-ec00df59411f"