detection.wiki

Detection rules › Sublime MQL

Brand impersonation: Fake Fax

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

Detects messages containing fax-related language and notification elements from senders outside of known legitimate fax service providers.

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesImpersonation: Brand, Image as content, Free file host, Free subdomain host, Social engineering

Event coverage

Message attribute
attachments (collection)
body
body.current_thread
body.html
body.links (collection)
headers.auth_summary
sender
sender.email
subject
type

Rule body MQL

type.inbound
// Subject or sender contains fax
and (
  any([subject.subject, sender.display_name],
      regex.icontains(.,
                      '\bfax\b',
                      '[ve][[:punct:]]?fax',
                      '[[:punct:]]fax\b',
                      '\bfax[[:punct:]]',
                      'fr[[:punct:]].{0,25}document',
                      'e.?f.?a.?x'
      )
  )
)
and (
  // body.current_thread.text logic
  (
    ( // strong notification terms in either the subject or body.current_thread.text
      any([subject.subject, body.current_thread.text],
          strings.icontains(., "New Fax Received")
          or strings.icontains(., "e-Fax Document")
          or strings.icontains(., "Fax Status")
          or strings.icontains(., "Fax ID")
          or strings.icontains(., "Incoming Fax")
          or strings.icontains(., "New Fax Document")
          or strings.istarts_with(., 'Fax message')
          or regex.icontains(.,
                             '(?:received|have) (a|(?:(.?\d.?))) (?:new )?e?fax'
          )
          or regex.icontains(., "to view (th(?:e|is) )?(?:fax|message)")
          or regex.icontains(.,
                             'transmit(?:ted|ting)?(?:\s+\w+){0,2}\s+(?:fax|facsimile)',
                             '(?:fax|facsimile)\s+(?:\s+\w+){0,2}transmit(?:ted|ting)?',
          )
      )
      and (
        // combined with above, we should have very high confidence this is a fax message
        (
          // date
          strings.icontains(body.current_thread.text, "Date:")
          or strings.icontains(body.current_thread.text, "Time Sent:")
          or strings.icontains(body.current_thread.text, "Time Received:")
          or strings.icontains(body.current_thread.text, "Received")
          // page count
          or regex.icontains(body.current_thread.text, "Num(ber)? of Pages?")
          or strings.icontains(body.current_thread.text, "Type: PDF")
        )
        // commonly abused brands
        or (
          strings.icontains(body.current_thread.text,
                            "eFax is a registered trademark of Consensus"
          )
          or strings.icontains(body.current_thread.text, "RingCentral, Inc")
        )
        // there is a link with the display text of some CTA
        or any(body.links,
               strings.icontains(.display_text, "open fax")
               // review document, view document review and sign document
               or regex.icontains(.display_text,
                                  "(?:re)?view (?:(?:&|and) sign )?(?:complete )?document"
               )
               or strings.icontains(.display_text, "Open document")
        )
      )
    )
    // attachment logic
    or (
      // the body.current_thread.text length is very short (probably just a warning banner)
      // and the attachment isn't used in the body of the message
      length(body.current_thread.text) < 300
      // and there are attachments
      and 0 < length(attachments) < 5
      // the attachments shouldn't be images which are used in the body of the html
      and any(attachments,
              strings.icontains(.file_name, 'fax')
              or (
                // or they are used in the body and OCR on them contains fax wording
                // the image is used in the HTML body
                .file_type in $file_types_images
                and (
                  any(regex.extract(.content_id, '^\<(.*)\>$'),
                      any(.groups,
                          strings.icontains(body.html.raw,
                                            strings.concat('src="cid:', ., '"')
                          )
                      )
                  )
                  or strings.icontains(body.html.raw, .content_id)
                )
                and (
                  // and that image contains fax wording
                  strings.icontains(beta.ocr(.).text, "New Fax Received")
                  or strings.icontains(beta.ocr(.).text, "New Fax Document")
                  or regex.icontains(beta.ocr(.).text,
                                     "(?:received|have) a (?:new )?fax"
                  )
                  or regex.icontains(beta.ocr(.).text,
                                     "to view (th(?:e|is) )?(?:fax|message)"
                  )
                  or regex.icontains(beta.ocr(.).text,
                                     'transmit(?:ted|ting)?(?:\s+\w+){0,2}\s+(?:fax|facsimile)',
                                     '(?:fax|facsimile)\s+(?:\s+\w+){0,2}transmit(?:ted|ting)?',
                  )
                )
              )
      )
    )
  )
)
// negate known fax mailers
and not (
  sender.email.domain.root_domain in (
    "faxage.com",
    'fax2mail.com',
    'ringcentral.com',
    'ringcentral.biz',
    'avaya.com',
    'egoldfax.com',
    'efax.com',
    'hellofax.com',
    'mfax.io',
    'goto.com',
    'faxmessage.net',
    'fuze.com',
    'retarus.net',
    'srfax.com',
    'myfax.com',
    '8x8.com',
    'zoom.us',
    'faxhd.com',
    'humblefax.com',
    'bridge.insure',
    'telecomsvc.com'
  )
  and headers.auth_summary.dmarc.pass
)

Detection logic

Scope: inbound message.

Detects messages containing fax-related language and notification elements from senders outside of known legitimate fax service providers.

  1. inbound message
  2. any of [subject.subject, sender.display_name] where:
    • . matches any of 6 patterns
      • \bfax\b
      • [ve][[:punct:]]?fax
      • [[:punct:]]fax\b
      • \bfax[[:punct:]]
      • fr[[:punct:]].{0,25}document
      • e.?f.?a.?x
  3. any of:
    • all of:
      • any of [subject.subject, body.current_thread.text] where any holds:
        • . contains 'New Fax Received'
        • . contains 'e-Fax Document'
        • . contains 'Fax Status'
        • . contains 'Fax ID'
        • . contains 'Incoming Fax'
        • . contains 'New Fax Document'
        • . starts with 'Fax message'
        • . matches '(?:received|have) (a|(?:(.?\\d.?))) (?:new )?e?fax'
        • . matches 'to view (th(?:e|is) )?(?:fax|message)'
        • . matches any of 2 patterns
          • transmit(?:ted|ting)?(?:\s+\w+){0,2}\s+(?:fax|facsimile)
          • (?:fax|facsimile)\s+(?:\s+\w+){0,2}transmit(?:ted|ting)?
      • any of:
        • any of:
          • body.current_thread.text contains 'Date:'
          • body.current_thread.text contains 'Time Sent:'
          • body.current_thread.text contains 'Time Received:'
          • body.current_thread.text contains 'Received'
          • body.current_thread.text matches 'Num(ber)? of Pages?'
          • body.current_thread.text contains 'Type: PDF'
        • any of:
          • body.current_thread.text contains 'eFax is a registered trademark of Consensus'
          • body.current_thread.text contains 'RingCentral, Inc'
        • any of body.links where any holds:
          • .display_text contains 'open fax'
          • .display_text matches '(?:re)?view (?:(?:&|and) sign )?(?:complete )?document'
          • .display_text contains 'Open document'
    • all of:
      • length(body.current_thread.text) < 300
      • all of:
        • length(attachments) > 0
        • length(attachments) < 5
      • any of attachments where any holds:
        • .file_name contains 'fax'
        • all of:
          • .file_type in $file_types_images
          • any of:
            • any of regex.extract(.content_id) where:
              • any of .groups where:
                • strings.icontains(body.html.raw)
            • strings.icontains(body.html.raw)
          • any of:
            • beta.ocr(.).text contains 'New Fax Received'
            • beta.ocr(.).text contains 'New Fax Document'
            • beta.ocr(.).text matches '(?:received|have) a (?:new )?fax'
            • beta.ocr(.).text matches 'to view (th(?:e|is) )?(?:fax|message)'
            • beta.ocr(.).text matches any of 2 patterns
              • transmit(?:ted|ting)?(?:\s+\w+){0,2}\s+(?:fax|facsimile)
              • (?:fax|facsimile)\s+(?:\s+\w+){0,2}transmit(?:ted|ting)?
  4. not:
    • all of:
      • sender.email.domain.root_domain in ('faxage.com', 'fax2mail.com', 'ringcentral.com', 'ringcentral.biz', 'avaya.com', 'egoldfax.com', 'efax.com', 'hellofax.com', 'mfax.io', 'goto.com', 'faxmessage.net', 'fuze.com', 'retarus.net', 'srfax.com', 'myfax.com', '8x8.com', 'zoom.us', 'faxhd.com', 'humblefax.com', 'bridge.insure', 'telecomsvc.com')
      • headers.auth_summary.dmarc.pass

Inspects: attachments[].content_id, attachments[].file_name, attachments[].file_type, body.current_thread.text, body.html.raw, body.links, body.links[].display_text, headers.auth_summary.dmarc.pass, sender.display_name, sender.email.domain.root_domain, subject.subject, type.inbound. Sensors: beta.ocr, regex.extract, regex.icontains, strings.concat, strings.icontains, strings.istarts_with. Reference lists: $file_types_images.

Indicators matched (52)

FieldMatchValue
regex.icontainsregex\bfax\b
regex.icontainsregex[ve][[:punct:]]?fax
regex.icontainsregex[[:punct:]]fax\b
regex.icontainsregex\bfax[[:punct:]]
regex.icontainsregexfr[[:punct:]].{0,25}document
regex.icontainsregexe.?f.?a.?x
strings.icontainssubstringNew Fax Received
strings.icontainssubstringe-Fax Document
strings.icontainssubstringFax Status
strings.icontainssubstringFax ID
strings.icontainssubstringIncoming Fax
strings.icontainssubstringNew Fax Document
40 more
strings.istarts_withprefixFax message
regex.icontainsregex(?:received|have) (a|(?:(.?\d.?))) (?:new )?e?fax
regex.icontainsregexto view (th(?:e|is) )?(?:fax|message)
regex.icontainsregextransmit(?:ted|ting)?(?:\s+\w+){0,2}\s+(?:fax|facsimile)
regex.icontainsregex(?:fax|facsimile)\s+(?:\s+\w+){0,2}transmit(?:ted|ting)?
strings.icontainssubstringDate:
strings.icontainssubstringTime Sent:
strings.icontainssubstringTime Received:
strings.icontainssubstringReceived
regex.icontainsregexNum(ber)? of Pages?
strings.icontainssubstringType: PDF
strings.icontainssubstringeFax is a registered trademark of Consensus
strings.icontainssubstringRingCentral, Inc
strings.icontainssubstringopen fax
regex.icontainsregex(?:re)?view (?:(?:&|and) sign )?(?:complete )?document
strings.icontainssubstringOpen document
strings.icontainssubstringfax
regex.extractregex^\<(.*)\>$
regex.icontainsregex(?:received|have) a (?:new )?fax
sender.email.domain.root_domainmemberfaxage.com
sender.email.domain.root_domainmemberfax2mail.com
sender.email.domain.root_domainmemberringcentral.com
sender.email.domain.root_domainmemberringcentral.biz
sender.email.domain.root_domainmemberavaya.com
sender.email.domain.root_domainmemberegoldfax.com
sender.email.domain.root_domainmemberefax.com
sender.email.domain.root_domainmemberhellofax.com
sender.email.domain.root_domainmembermfax.io
sender.email.domain.root_domainmembergoto.com
sender.email.domain.root_domainmemberfaxmessage.net
sender.email.domain.root_domainmemberfuze.com
sender.email.domain.root_domainmemberretarus.net
sender.email.domain.root_domainmembersrfax.com
sender.email.domain.root_domainmembermyfax.com
sender.email.domain.root_domainmember8x8.com
sender.email.domain.root_domainmemberzoom.us
sender.email.domain.root_domainmemberfaxhd.com
sender.email.domain.root_domainmemberhumblefax.com
sender.email.domain.root_domainmemberbridge.insure
sender.email.domain.root_domainmembertelecomsvc.com