Service abuse: Facebook business with action required subject
Detects messages from the Facebook business domain containing 'action required' in the subject line, commonly used to create urgency in impersonation attacks.
Sublime rule (View on GitHub)
1name: "Service abuse: Facebook business with action required subject"
2description: "Detects messages from the Facebook business domain containing 'action required' in the subject line, commonly used to create urgency in impersonation attacks."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 sender.email.domain.root_domain == "facebook.com"
9 or sender.email.domain.root_domain == "facebookmail.com"
10 )
11 and 3 of (
12 strings.icontains(subject.subject, "Action required"),
13 strings.icontains(subject.subject, "invited to join"),
14 strings.icontains(subject.subject, "partner request"),
15 strings.icontains(body.current_thread.text, "You've been invited"),
16 strings.icontains(body.current_thread.text, "You're invited"),
17 strings.icontains(body.current_thread.text,
18 "You've received a partner request"
19 ),
20 strings.icontains(body.current_thread.text,
21 "not part of or affiliated with Meta"
22 ),
23 strings.icontains(body.current_thread.text, "Agency Partner")
24 )
25 and (
26 // and the link is recently registered
27 any(body.links, network.whois(.href_url.domain).days_old <= 30)
28 or any(body.links,
29 // if the link is still active, check if it's cred theft
30 any(ml.nlu_classifier(beta.ocr(ml.link_analysis(.).screenshot).text).intents,
31 .name == "cred_theft" and .confidence != "low"
32 )
33 )
34 // or look for the legit Meta footer address
35 or strings.icontains(body.current_thread.text,
36 '1 Meta Way, Menlo Park, CA 94025'
37 )
38 )
39tags:
40 - "Attack surface reduction"
41attack_types:
42 - "Credential Phishing"
43tactics_and_techniques:
44 - "Impersonation: Brand"
45 - "Social engineering"
46detection_methods:
47 - "Content analysis"
48 - "Sender analysis"
49id: "64297d2f-a5bd-5336-8db7-ec00df59411f"