Detection rules › Sublime MQL
Brand impersonation: Meta and subsidiaries
Impersonation of Meta or Meta's subsidiaries Facebook and Instagram.
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Impersonation: Brand, Lookalike domain, Social engineering |
Event coverage
Rule body MQL
type.inbound
and (
// sender display name is a strong enough indicator
// that it can be used without any other impersonation logic
(
regex.icontains(sender.display_name,
// this regex looks for a commonly abused phrase starting with 'meta', potentially containing a version of the word 'verified', followed by phrases that have been observed in campaigns.
'\bm.?e.?t.?a\b.*(?:verif(?:y|i(?:cado|ed)))?.*\b(?:recruiting|certification|trust|safety|badge|alert|advertising|compliance|copyright|enforcement|intellectual|rights|account|help|support|service|business|policy|Vérifié|certify|inc|help[ -]?desk)\b',
// this regex also looks for a commonly abused phrase starting with 'meta', followed by a phrase, then 'team' with no separating spaces.
'\bm.?e.?t.?a(?:recruiting|pro|certification|trust|safety|badge|alert|advertising|compliance|copyright|enforcement|intellectual|rights|service|account|help|support|business|policy|ads)team',
// this regex is similar to the first in this section, but starts with facebook instead of meta
'\bf.?a.?c.?e.?b.?o.?o.?k\b.*(?:verif(?:y|i(?:cado|ed)))?.*\b(?:recruiting|ads[ -]?team|certification|trust|safety|badge|alert|advertising|compliance|copyright|enforcement|intellectual|rights|service|account|help|support|business|policy|Vérifié|certify|inc|help[ -]?desk)\b',
'^[a-z]+ from \bmeta$',
'page ?ads ?support',
'Instagram\s*(?:Not|Policies|Report|Helpdesk|Support)',
'\bMeta & Coursera',
'Compliance & Security',
'social.?media.?\b(?:master|expert|pro|guru)\b',
'\bmeta\b.?(?:social|skill|ads).?(?:star|set|expert)',
'noreply-(?:meta|fb).+'
)
or (
regex.icontains(sender.display_name,
"f\u{200a}?a\u{200a}?c\u{200a}?e\u{200a}?b\u{200a}?o\u{200a}?o\u{200a}?k"
)
and not strings.icontains(sender.display_name, 'facebook')
)
or strings.contains(sender.display_name, "\u{24C2}")
or strings.ilevenshtein(sender.display_name, 'facebook ads') <= 2
or strings.ilevenshtein(sender.display_name, 'facebook business') <= 2
or strings.ilike(sender.email.domain.domain, '*facebook*')
or strings.ilike(sender.email.local_part,
"*instagramlive*",
"*facebooksupport*"
)
or strings.icontains(sender.email.domain.subdomain, 'meta-')
)
// the use of these keywords (facebook, instagram)
// or the levenshtein distance to facebook
// are less strong and thus need to be combined with logo detection or nlu
or (
(
regex.icontains(sender.display_name,
'\bf[\p{Mn}\p{Cf}]*a[\p{Mn}\p{Cf}]*c[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*b[\p{Mn}\p{Cf}]*o[\p{Mn}\p{Cf}]*o[\p{Mn}\p{Cf}]*k[\p{Mn}\p{Cf}]*\b',
'\binstagr(am)?\b',
'\bm[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*t[\p{Mn}\p{Cf}]*a\b'
)
or strings.ilevenshtein(sender.display_name, 'facebook') <= 2
or sender.email.email == 'noreply@appsheet.com'
)
and 2 of (
any(ml.logo_detect(file.message_screenshot()).brands,
.name in ("Facebook", "Meta", "Instagram", "Threads")
),
any(ml.nlu_classifier(body.current_thread.text).intents,
.name in ("cred_theft", "callback_scam", "steal_pii")
and .confidence in ("medium", "high")
),
(
length(body.current_thread.text) < 2000
and regex.icontains(body.current_thread.text, "(?:violation|infringe)")
),
regex.icontains(subject.base,
'\b(?:recruiting|permanently|locked|certification|trust|safety|badge|alert|advertising|compliance|copyright|enforcement|intellectual|rights|account|help|support|business|policy|verif(?:y|i(?:cado|ed))|Vérifié|Trademark|Misuse|Review|Violation|Warning|Restriction|Inappropriate|service|Content|multiple reports)\b'
),
any(body.links,
.href_url.domain.root_domain in $self_service_creation_platform_domains
or .href_url.domain.root_domain in $free_file_hosts
or .href_url.domain.root_domain in $free_subdomain_hosts
or .href_url.domain.root_domain in $url_shorteners
),
sender.email.domain.root_domain in $free_email_providers
)
)
// salesforce sender combined with logo detection and nlu is enough
or (
sender.email.domain.root_domain == "salesforce.com"
and any(ml.logo_detect(file.message_screenshot()).brands,
.name in ("Facebook", "Meta", "Instagram", "Threads")
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name in ("cred_theft", "callback_scam", "steal_pii")
and .confidence in ("medium", "high")
)
)
or
// or the body contains a facebook/meta footer with the address citing "community support"
(
(
regex.icontains(body.current_thread.text,
'(?:1\s+(?:Facebook|Hacker|Meta)?\s*Way|1601\s+Willow\s+Rd?).*Menlo\s+Park.*CA.*94025'
)
or (
regex.icontains(body.current_thread.text,
'(?:Security Team © Meta|Meta Support Team)'
)
)
)
// and it contains a link to spawn a chat with facebook - this is not the way support operates
and (
any(body.links,
strings.ends_with(.href_url.domain.domain, 'facebook.com')
and strings.starts_with(.href_url.path, '/msg/')
)
or (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name in ("cred_theft", "callback_scam", "steal_pii")
and .confidence in ("high")
)
)
or any(recipients.to,
.email.domain.valid
and any(body.links,
strings.icontains(.href_url.url, ..email.email)
or any(strings.scan_base64(.href_url.url,
format="url",
ignore_padding=true
),
strings.icontains(., ...email.email)
)
or any(strings.scan_base64(.href_url.fragment,
ignore_padding=true
),
strings.icontains(., ...email.email)
)
)
)
)
)
// we've seen advertising "advice/recommendations"
or (
all(ml.nlu_classifier(body.current_thread.text).topics,
.name in ("Advertising and Promotions", "Reminders and Notifications")
)
// Meta mention
and (
any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "org" and strings.icontains(.text, 'Community Guidelines')
)
or regex.icontains(body.current_thread.text,
'(1\s+(Facebook|Hacker|\bMeta\b)?\s*Way|1601\s+Willow\s+Rd?).*Menlo\s+Park.*CA.*94025'
)
)
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "urgency"
)
)
or (
strings.icontains(body.current_thread.text, "Meta Professional Certificate")
and strings.icontains(body.current_thread.text, "Meta & Coursera Team")
// Add link validation
and any(body.links,
strings.icontains(.display_text, "coursera")
and .href_url.domain.root_domain != "coursera.org"
)
)
or 2 of (
strings.icontains(body.current_thread.text, 'Meta '),
strings.icontains(body.current_thread.text, '1602 Willow Road'),
strings.icontains(body.current_thread.text, 'Menlo Park, CA 91024'),
)
)
and sender.email.domain.root_domain not in~ (
'facebook.com',
'facebookmail.com',
'eventsatfacebook.com',
'facebookenterprise.com',
'meta.com',
'metamail.com',
'instagram.com',
'medallia.com',
'fbworkmail.com',
'workplace.com',
'capterra.com', // they mention "Community Guidelines"
'facebookblueprint.com',
'metaenterprisemail.com',
'pigfacebookstore.com.au', // unrelated domain but hitting on facebook
'metacompliance.com',
'metaprop.com', // unrelated domain but hitting on meta pro
'oakley.com', // meta intelligence glasses
'facebookuserprivacysettlement.com', // fb settlement website
'perceptyx.com', // ai employee engagement
'unroll.me', // unroll contains instagram logo
'har.com' // facebook ads management
)
// negate metaenterprise links
and not any(headers.reply_to, .email.email == "noreply@facebookmail.com")
// meta wiki renamer
and not (
sender.display_name == 'Meta-Wiki'
and sender.email.domain.root_domain == 'wikimedia.org'
)
// we dont want emails where all the links go to meta domains
and not (
(
length(body.links) > 1
and all(body.links,
.href_url.domain.root_domain in (
'facebook.com',
'instagram.com',
'meta.com'
)
and not strings.istarts_with(.href_url.path, '/share/')
)
)
// too many links
or length(body.links) > 20
)
// no previous threads
and length(body.previous_threads) == 0
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
// salesforce has been abused for meta phishing campaigns repeatedly
or sender.email.domain.root_domain == "salesforce.com"
)
Detection logic
Scope: inbound message.
Impersonation of Meta or Meta's subsidiaries Facebook and Instagram.
- inbound message
any of:
any of:
sender.display_name matches any of 11 patterns
\bm.?e.?t.?a\b.*(?:verif(?:y|i(?:cado|ed)))?.*\b(?:recruiting|certification|trust|safety|badge|alert|advertising|compliance|copyright|enforcement|intellectual|rights|account|help|support|service|business|policy|Vérifié|certify|inc|help[ -]?desk)\b\bm.?e.?t.?a(?:recruiting|pro|certification|trust|safety|badge|alert|advertising|compliance|copyright|enforcement|intellectual|rights|service|account|help|support|business|policy|ads)team\bf.?a.?c.?e.?b.?o.?o.?k\b.*(?:verif(?:y|i(?:cado|ed)))?.*\b(?:recruiting|ads[ -]?team|certification|trust|safety|badge|alert|advertising|compliance|copyright|enforcement|intellectual|rights|service|account|help|support|business|policy|Vérifié|certify|inc|help[ -]?desk)\b^[a-z]+ from \bmeta$page ?ads ?supportInstagram\s*(?:Not|Policies|Report|Helpdesk|Support)\bMeta & CourseraCompliance & Securitysocial.?media.?\b(?:master|expert|pro|guru)\b\bmeta\b.?(?:social|skill|ads).?(?:star|set|expert)noreply-(?:meta|fb).+
all of:
- sender.display_name matches 'f\\u{200a}?a\\u{200a}?c\\u{200a}?e\\u{200a}?b\\u{200a}?o\\u{200a}?o\\u{200a}?k'
not:
- sender.display_name contains 'facebook'
- sender.display_name contains '\\u{24C2}'
- sender.display_name is similar to 'facebook ads'
- sender.display_name is similar to 'facebook business'
- sender.email.domain.domain matches '*facebook*'
sender.email.local_part matches any of 2 patterns
*instagramlive**facebooksupport*
- sender.email.domain.subdomain contains 'meta-'
all of:
any of:
sender.display_name matches any of 3 patterns
\bf[\p{Mn}\p{Cf}]*a[\p{Mn}\p{Cf}]*c[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*b[\p{Mn}\p{Cf}]*o[\p{Mn}\p{Cf}]*o[\p{Mn}\p{Cf}]*k[\p{Mn}\p{Cf}]*\b\binstagr(am)?\b\bm[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*t[\p{Mn}\p{Cf}]*a\b
- sender.display_name is similar to 'facebook'
- sender.email.email is 'noreply@appsheet.com'
at least 2 of:
any of
ml.logo_detect(file.message_screenshot()).brandswhere:- .name in ('Facebook', 'Meta', 'Instagram', 'Threads')
any of
ml.nlu_classifier(body.current_thread.text).intentswhere all hold:- .name in ('cred_theft', 'callback_scam', 'steal_pii')
- .confidence in ('medium', 'high')
all of:
- length(body.current_thread.text) < 2000
- body.current_thread.text matches '(?:violation|infringe)'
- subject.base matches '\\b(?:recruiting|permanently|locked|certification|trust|safety|badge|alert|advertising|compliance|copyright|enforcement|intellectual|rights|account|help|support|business|policy|verif(?:y|i(?:cado|ed))|Vérifié|Trademark|Misuse|Review|Violation|Warning|Restriction|Inappropriate|service|Content|multiple reports)\\b'
any of
body.linkswhere any holds:- .href_url.domain.root_domain in $self_service_creation_platform_domains
- .href_url.domain.root_domain in $free_file_hosts
- .href_url.domain.root_domain in $free_subdomain_hosts
- .href_url.domain.root_domain in $url_shorteners
- sender.email.domain.root_domain in $free_email_providers
all of:
- sender.email.domain.root_domain is 'salesforce.com'
any of
ml.logo_detect(file.message_screenshot()).brandswhere:- .name in ('Facebook', 'Meta', 'Instagram', 'Threads')
any of
ml.nlu_classifier(body.current_thread.text).intentswhere all hold:- .name in ('cred_theft', 'callback_scam', 'steal_pii')
- .confidence in ('medium', 'high')
all of:
any of:
- body.current_thread.text matches '(?:1\\s+(?:Facebook|Hacker|Meta)?\\s*Way|1601\\s+Willow\\s+Rd?).*Menlo\\s+Park.*CA.*94025'
- body.current_thread.text matches '(?:Security Team © Meta|Meta Support Team)'
any of:
any of
body.linkswhere all hold:- .href_url.domain.domain ends with 'facebook.com'
- .href_url.path starts with '/msg/'
any of
ml.nlu_classifier(body.current_thread.text).intentswhere all hold:- .name in ('cred_theft', 'callback_scam', 'steal_pii')
- .confidence in ('high')
any of
recipients.towhere all hold:- .email.domain.valid
any of
body.linkswhere any holds:- strings.icontains(.href_url.url)
any of
strings.scan_base64(.href_url.url)where:- strings.icontains(.)
any of
strings.scan_base64(.href_url.fragment)where:- strings.icontains(.)
all of:
all of
ml.nlu_classifier(body.current_thread.text).topicswhere:- .name in ('Advertising and Promotions', 'Reminders and Notifications')
any of:
any of
ml.nlu_classifier(body.current_thread.text).entitieswhere all hold:- .name is 'org'
- .text contains 'Community Guidelines'
- body.current_thread.text matches '(1\\s+(Facebook|Hacker|\\bMeta\\b)?\\s*Way|1601\\s+Willow\\s+Rd?).*Menlo\\s+Park.*CA.*94025'
any of
ml.nlu_classifier(body.current_thread.text).entitieswhere:- .name is 'urgency'
all of:
- body.current_thread.text contains 'Meta Professional Certificate'
- body.current_thread.text contains 'Meta & Coursera Team'
any of
body.linkswhere all hold:- .display_text contains 'coursera'
- .href_url.domain.root_domain is not 'coursera.org'
at least 2 of:
- body.current_thread.text contains 'Meta '
- body.current_thread.text contains '1602 Willow Road'
- body.current_thread.text contains 'Menlo Park, CA 91024'
- sender.email.domain.root_domain not in ('facebook.com', 'facebookmail.com', 'eventsatfacebook.com', 'facebookenterprise.com', 'meta.com', 'metamail.com', 'instagram.com', 'medallia.com', 'fbworkmail.com', 'workplace.com', 'capterra.com', 'facebookblueprint.com', 'metaenterprisemail.com', 'pigfacebookstore.com.au', 'metacompliance.com', 'metaprop.com', 'oakley.com', 'facebookuserprivacysettlement.com', 'perceptyx.com', 'unroll.me', 'har.com')
not:
any of
headers.reply_towhere:- .email.email is 'noreply@facebookmail.com'
not:
all of:
- sender.display_name is 'Meta-Wiki'
- sender.email.domain.root_domain is 'wikimedia.org'
none of:
all of:
- length(body.links) > 1
all of
body.linkswhere all hold:- .href_url.domain.root_domain in ('facebook.com', 'instagram.com', 'meta.com')
not:
- .href_url.path starts with '/share/'
- length(body.links) > 20
- length(body.previous_threads) is 0
any of:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
not:
- headers.auth_summary.dmarc.pass
- sender.email.domain.root_domain not in $high_trust_sender_root_domains
- sender.email.domain.root_domain is 'salesforce.com'
Inspects: body.current_thread.text, body.links, body.links[].display_text, body.links[].href_url.domain.domain, body.links[].href_url.domain.root_domain, body.links[].href_url.fragment, body.links[].href_url.path, body.links[].href_url.url, body.previous_threads, headers.auth_summary.dmarc.pass, headers.reply_to, headers.reply_to[].email.email, recipients.to, recipients.to[].email.domain.valid, recipients.to[].email.email, sender.display_name, sender.email.domain.domain, sender.email.domain.root_domain, sender.email.domain.subdomain, sender.email.email, sender.email.local_part, subject.base, type.inbound. Sensors: file.message_screenshot, ml.logo_detect, ml.nlu_classifier, regex.icontains, strings.contains, strings.ends_with, strings.icontains, strings.ilevenshtein, strings.ilike, strings.istarts_with, strings.scan_base64, strings.starts_with. Reference lists: $free_email_providers, $free_file_hosts, $free_subdomain_hosts, $high_trust_sender_root_domains, $self_service_creation_platform_domains, $url_shorteners.
Indicators matched (81)
| Field | Match | Value |
|---|---|---|
regex.icontains | regex | \bm.?e.?t.?a\b.*(?:verif(?:y|i(?:cado|ed)))?.*\b(?:recruiting|certification|trust|safety|badge|alert|advertising|compliance|copyright|enforcement|intellectual|rights|account|help|support|service|business|policy|Vérifié|certify|inc|help[ -]?desk)\b |
regex.icontains | regex | \bm.?e.?t.?a(?:recruiting|pro|certification|trust|safety|badge|alert|advertising|compliance|copyright|enforcement|intellectual|rights|service|account|help|support|business|policy|ads)team |
regex.icontains | regex | \bf.?a.?c.?e.?b.?o.?o.?k\b.*(?:verif(?:y|i(?:cado|ed)))?.*\b(?:recruiting|ads[ -]?team|certification|trust|safety|badge|alert|advertising|compliance|copyright|enforcement|intellectual|rights|service|account|help|support|business|policy|Vérifié|certify|inc|help[ -]?desk)\b |
regex.icontains | regex | ^[a-z]+ from \bmeta$ |
regex.icontains | regex | page ?ads ?support |
regex.icontains | regex | Instagram\s*(?:Not|Policies|Report|Helpdesk|Support) |
regex.icontains | regex | \bMeta & Coursera |
regex.icontains | regex | Compliance & Security |
regex.icontains | regex | social.?media.?\b(?:master|expert|pro|guru)\b |
regex.icontains | regex | \bmeta\b.?(?:social|skill|ads).?(?:star|set|expert) |
regex.icontains | regex | noreply-(?:meta|fb).+ |
regex.icontains | regex | f\u{200a}?a\u{200a}?c\u{200a}?e\u{200a}?b\u{200a}?o\u{200a}?o\u{200a}?k |
69 more
strings.icontains | substring | facebook |
strings.contains | substring | \u{24C2} |
strings.ilevenshtein | fuzzy | facebook ads |
strings.ilevenshtein | fuzzy | facebook business |
strings.ilike | substring | *facebook* |
strings.ilike | substring | *instagramlive* |
strings.ilike | substring | *facebooksupport* |
strings.icontains | substring | meta- |
regex.icontains | regex | \bf[\p{Mn}\p{Cf}]*a[\p{Mn}\p{Cf}]*c[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*b[\p{Mn}\p{Cf}]*o[\p{Mn}\p{Cf}]*o[\p{Mn}\p{Cf}]*k[\p{Mn}\p{Cf}]*\b |
regex.icontains | regex | \binstagr(am)?\b |
regex.icontains | regex | \bm[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*t[\p{Mn}\p{Cf}]*a\b |
strings.ilevenshtein | fuzzy | facebook |
sender.email.email | equals | noreply@appsheet.com |
ml.logo_detect(file.message_screenshot()).brands[].name | member | Facebook |
ml.logo_detect(file.message_screenshot()).brands[].name | member | Meta |
ml.logo_detect(file.message_screenshot()).brands[].name | member | Instagram |
ml.logo_detect(file.message_screenshot()).brands[].name | member | Threads |
ml.nlu_classifier(body.current_thread.text).intents[].name | member | cred_theft |
ml.nlu_classifier(body.current_thread.text).intents[].name | member | callback_scam |
ml.nlu_classifier(body.current_thread.text).intents[].name | member | steal_pii |
ml.nlu_classifier(body.current_thread.text).intents[].confidence | member | medium |
ml.nlu_classifier(body.current_thread.text).intents[].confidence | member | high |
regex.icontains | regex | (?:violation|infringe) |
regex.icontains | regex | \b(?:recruiting|permanently|locked|certification|trust|safety|badge|alert|advertising|compliance|copyright|enforcement|intellectual|rights|account|help|support|business|policy|verif(?:y|i(?:cado|ed))|Vérifié|Trademark|Misuse|Review|Violation|Warning|Restriction|Inappropriate|service|Content|multiple reports)\b |
sender.email.domain.root_domain | equals | salesforce.com |
regex.icontains | regex | (?:1\s+(?:Facebook|Hacker|Meta)?\s*Way|1601\s+Willow\s+Rd?).*Menlo\s+Park.*CA.*94025 |
regex.icontains | regex | (?:Security Team © Meta|Meta Support Team) |
strings.ends_with | suffix | facebook.com |
strings.starts_with | prefix | /msg/ |
ml.nlu_classifier(body.current_thread.text).topics[].name | member | Advertising and Promotions |
ml.nlu_classifier(body.current_thread.text).topics[].name | member | Reminders and Notifications |
ml.nlu_classifier(body.current_thread.text).entities[].name | equals | org |
strings.icontains | substring | Community Guidelines |
regex.icontains | regex | (1\s+(Facebook|Hacker|\bMeta\b)?\s*Way|1601\s+Willow\s+Rd?).*Menlo\s+Park.*CA.*94025 |
ml.nlu_classifier(body.current_thread.text).entities[].name | equals | urgency |
strings.icontains | substring | Meta Professional Certificate |
strings.icontains | substring | Meta & Coursera Team |
strings.icontains | substring | coursera |
strings.icontains | substring | Meta |
strings.icontains | substring | 1602 Willow Road |
strings.icontains | substring | Menlo Park, CA 91024 |
sender.email.domain.root_domain | member | facebook.com |
sender.email.domain.root_domain | member | facebookmail.com |
sender.email.domain.root_domain | member | eventsatfacebook.com |
sender.email.domain.root_domain | member | facebookenterprise.com |
sender.email.domain.root_domain | member | meta.com |
sender.email.domain.root_domain | member | metamail.com |
sender.email.domain.root_domain | member | instagram.com |
sender.email.domain.root_domain | member | medallia.com |
sender.email.domain.root_domain | member | fbworkmail.com |
sender.email.domain.root_domain | member | workplace.com |
sender.email.domain.root_domain | member | capterra.com |
sender.email.domain.root_domain | member | facebookblueprint.com |
sender.email.domain.root_domain | member | metaenterprisemail.com |
sender.email.domain.root_domain | member | pigfacebookstore.com.au |
sender.email.domain.root_domain | member | metacompliance.com |
sender.email.domain.root_domain | member | metaprop.com |
sender.email.domain.root_domain | member | oakley.com |
sender.email.domain.root_domain | member | facebookuserprivacysettlement.com |
sender.email.domain.root_domain | member | perceptyx.com |
sender.email.domain.root_domain | member | unroll.me |
sender.email.domain.root_domain | member | har.com |
headers.reply_to[].email.email | equals | noreply@facebookmail.com |
sender.display_name | equals | Meta-Wiki |
sender.email.domain.root_domain | equals | wikimedia.org |
body.links[].href_url.domain.root_domain | member | facebook.com |
body.links[].href_url.domain.root_domain | member | instagram.com |
body.links[].href_url.domain.root_domain | member | meta.com |
strings.istarts_with | prefix | /share/ |