Skip to content

Commit 93bec2a

Browse files
github-actions[bot]github-actions[bot]
committed
[PR #3481] added rule: Brand impersonation: Fake Fax
1 parent ee48f63 commit 93bec2a

File tree

1 file changed

+159
-0
lines changed

1 file changed

+159
-0
lines changed

detection-rules/3481_link_fake_fax_low_reputation.yml

Lines changed: 159 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,159 @@
1+
name: "Brand impersonation: Fake Fax"
2+
description: |
3+
Detects messages containing fax-related language and notification elements from senders outside of known legitimate fax service providers.
4+
references:
5+
- "https://www.hoxhunt.com/blog/fax-phishing"
6+
type: "rule"
7+
severity: "medium"
8+
source: |
9+
type.inbound
10+
11+
// not a reply/fwd
12+
and length(headers.references) == 0
13+
and headers.in_reply_to is null
14+
15+
// Subject or sender contains fax
16+
and (
17+
any([subject.subject, sender.display_name],
18+
regex.icontains(.,
19+
'\bfax\b',
20+
'[ve][[:punct:]]?fax',
21+
'[[:punct:]]fax\b',
22+
'\bfax[[:punct:]]',
23+
'fr[[:punct:]].{0,25}document'
24+
)
25+
)
26+
)
27+
and (
28+
// body.current_thread.text logic
29+
(
30+
( // strong notification terms in either the subject or body.current_thread.text
31+
any([subject.subject, body.current_thread.text],
32+
strings.icontains(., "New Fax Received")
33+
or strings.icontains(., "e-Fax Document")
34+
or strings.icontains(., "Fax Status")
35+
or strings.icontains(., "Fax ID")
36+
or strings.icontains(., "New Fax Document")
37+
or regex.icontains(., '(?:received|have) (a|(?:(.?\d.?))) (?:new )?e?fax')
38+
or regex.icontains(., "to view (th(?:e|is) )?(?:fax|message)")
39+
or regex.icontains(.,
40+
'transmit(?:ted|ting)?(?:\s+\w+){0,2}\s+(?:fax|facsimile)',
41+
'(?:fax|facsimile)\s+(?:\s+\w+){0,2}transmit(?:ted|ting)?',
42+
)
43+
)
44+
and (
45+
// combined with above, we should have very high confidence this is a fax message
46+
(
47+
// date
48+
strings.icontains(body.current_thread.text, "Date:")
49+
or strings.icontains(body.current_thread.text, "Time Sent:")
50+
or strings.icontains(body.current_thread.text, "Time Received:")
51+
or strings.icontains(body.current_thread.text, "Received")
52+
// page count
53+
or regex.icontains(body.current_thread.text, "Num(ber)? of Pages?")
54+
or strings.icontains(body.current_thread.text, "Type: PDF")
55+
)
56+
// commonly abused brands
57+
or (
58+
strings.icontains(body.current_thread.text,
59+
"eFax is a registered trademark of Consensus"
60+
)
61+
or strings.icontains(body.current_thread.text, "RingCentral, Inc")
62+
)
63+
// there is a link with the display text of some CTA
64+
or any(body.links,
65+
strings.icontains(.display_text, "open fax")
66+
// review document, view document review and sign document
67+
or regex.icontains(.display_text,
68+
"(?:re)?view (?:(?:&|and) sign )?(?:complete )?document"
69+
)
70+
or strings.icontains(.display_text, "Open document")
71+
)
72+
)
73+
)
74+
// attachment logic
75+
or (
76+
// the body.current_thread.text length is very short (probably just a warning banner)
77+
// and the attachment isn't used in the body of the message
78+
length(body.current_thread.text) < 300
79+
// and there are attachments
80+
and 0 < length(attachments) < 5
81+
// the attachments shouldn't be images which are used in the body of the html
82+
and any(attachments,
83+
strings.icontains(.file_name, 'fax')
84+
or (
85+
// or they are used in the body and OCR on them contains fax wording
86+
// the image is used in the HTML body
87+
.file_type in $file_types_images
88+
and
89+
(
90+
any(regex.extract(.content_id, '^\<(.*)\>$'),
91+
any(.groups,
92+
strings.icontains(body.html.raw,
93+
strings.concat('src="cid:',
94+
.,
95+
'"'
96+
)
97+
)
98+
)
99+
)
100+
or strings.icontains(body.html.raw, .content_id)
101+
)
102+
and (
103+
// and that image contains fax wording
104+
strings.icontains(beta.ocr(.).text, "New Fax Received")
105+
or strings.icontains(beta.ocr(.).text, "New Fax Document")
106+
or regex.icontains(beta.ocr(.).text,
107+
"(?:received|have) a (?:new )?fax"
108+
)
109+
or regex.icontains(beta.ocr(.).text,
110+
"to view (th(?:e|is) )?(?:fax|message)"
111+
)
112+
or regex.icontains(beta.ocr(.).text,
113+
'transmit(?:ted|ting)?(?:\s+\w+){0,2}\s+(?:fax|facsimile)',
114+
'(?:fax|facsimile)\s+(?:\s+\w+){0,2}transmit(?:ted|ting)?',
115+
)
116+
)
117+
)
118+
)
119+
)
120+
)
121+
)
122+
// negate known fax mailers
123+
and not (
124+
sender.email.domain.root_domain in (
125+
"faxage.com",
126+
'fax2mail.com',
127+
'ringcentral.com',
128+
'avaya.com',
129+
'egoldfax.com',
130+
'efax.com',
131+
'hellofax.com',
132+
'mfax.io',
133+
'goto.com',
134+
'faxmessage.net',
135+
'fuze.com',
136+
'retarus.net',
137+
'srfax.com',
138+
'myfax.com'
139+
)
140+
and headers.auth_summary.dmarc.pass
141+
)
142+
attack_types:
143+
- "Credential Phishing"
144+
tactics_and_techniques:
145+
- "Impersonation: Brand"
146+
- "Image as content"
147+
- "Free file host"
148+
- "Free subdomain host"
149+
- "Social engineering"
150+
detection_methods:
151+
- "Computer Vision"
152+
- "Content analysis"
153+
- "Optical Character Recognition"
154+
- "Sender analysis"
155+
- "URL analysis"
156+
id: "605aec3c-9875-5c3c-ae88-75a97c4a6ae4"
157+
og_id: "2a96b90a-64bf-52ad-b4e4-6f1e8c1dcba6"
158+
testing_pr: 3481
159+
testing_sha: fb8d3668b34301076fcfd48d25353a9e47260de0

0 commit comments

Comments
 (0)