• Sublime Core Feed
Medium Severity

Brand Impersonation: Fake Fax

Labels

Credential Phishing
Impersonation: Brand
Image as content
Free file host
Free subdomain host
Social engineering
Computer Vision
Content analysis
Optical Character Recognition
Sender analysis
URL analysis

Description

Detects messages containing fax-related language and notification elements from senders outside of known legitimate fax service providers.

References

Sublime Security
Created Aug 17th, 2023 • Last updated Apr 25th, 2025
Feed Source
Sublime Core Feed
Source
GitHub
type.inbound

// not a reply/fwd
and length(headers.references) == 0 
and headers.in_reply_to is null

// Subject or sender contains fax
and (
  any([subject.subject, sender.display_name],
      regex.icontains(.,
                      '\bfax\b',
                      '[ve][[:punct:]]?fax',
                      '[[:punct:]]fax\b',
                      '\bfax[[:punct:]]'
      )
  )
)
and (
  // body.current_thread.text logic
  (
    ( // strong notification terms in either the subject or body.current_thread.text
      any([subject.subject, body.current_thread.text],
          strings.icontains(., "New Fax Received")
          or strings.icontains(., "New Fax Document")
          or regex.icontains(., "(?:received|have) a (?:new )?fax")
          or regex.icontains(., "to view (th(?:e|is) )?(?:fax|message)")
          or regex.icontains(.,
                             'transmit(?:ted|ting)?(?:\s+\w+){0,2}\s+(?:fax|facsimile)',
                             '(?:fax|facsimile)\s+(?:\s+\w+){0,2}transmit(?:ted|ting)?',
          )
      )
      and (
        // combined with above, we should have very high confidence this is a fax message
        (
          // date
          strings.icontains(body.current_thread.text, "Date:")
          or strings.icontains(body.current_thread.text, "Time Sent:")
          or strings.icontains(body.current_thread.text, "Time Received:")
          or strings.icontains(body.current_thread.text, "Received")
          // page count
          or regex.icontains(body.current_thread.text, "Num(ber)? of Pages?")
          or strings.icontains(body.current_thread.text, "Type: PDF")
        )
        // commonly abused brands
        or (
          strings.icontains(body.current_thread.text,
                            "eFax is a registered trademark of Consensus"
          )
          or strings.icontains(body.current_thread.text, "RingCentral, Inc")
        )
        // there is a link with the display text of some CTA
        or any(body.links,
               strings.icontains(.display_text, "open fax")
               // review document, view document review and sign document
               or regex.icontains(.display_text,
                                  "(?:re)?view (?:(?:&|and) sign )?document"
               )
               or strings.icontains(.display_text, "Open document")
        )
      )
    )
    // attachment logic
    or (
      // the body.current_thread.text length is very short (probably just a warning banner)
      // and the attachment isn't used in the body of the message
      length(body.current_thread.text) < 300
      // and there are attachments
      and 0 < length(attachments) < 5
      // the attachments shouldn't be images which are used in the body of the html
      and any(attachments,
              strings.icontains(.file_name, 'fax')
              or (

                // or they are used in the body and OCR on them contains fax wording
                // the image is used in the HTML body
                .file_type in $file_types_images
                and any(regex.extract(.content_id, '^\<(.*)\>$'),
                        any(.groups,
                            strings.icontains(body.html.raw,
                                              strings.concat('src="cid:',
                                                             .,
                                                             '"'
                                              )
                            )
                        )
                )
                and (
                  // and that image contains fax wording
                  strings.icontains(beta.ocr(.).text, "New Fax Received")
                  or strings.icontains(beta.ocr(.).text, "New Fax Document")
                  or regex.icontains(beta.ocr(.).text,
                                     "(?:received|have) a (?:new )?fax"
                  )
                  or regex.icontains(beta.ocr(.).text,
                                     "to view (th(?:e|is) )?(?:fax|message)"
                  )
                  or regex.icontains(beta.ocr(.).text,
                                     'transmit(?:ted|ting)?(?:\s+\w+){0,2}\s+(?:fax|facsimile)',
                                     '(?:fax|facsimile)\s+(?:\s+\w+){0,2}transmit(?:ted|ting)?',
                  )
                )
              )
      )
    )
  )
)
// negate known fax mailers
and not (
  sender.email.domain.root_domain in (
    "faxage.com",
    'fax2mail.com',
    'ringcentral.com',
    'avaya.com',
    'egoldfax.com',
    'efax.com',
    'hellofax.com',
    'mfax.io',
    'goto.com',
    'faxmessage.net',
    'fuze.com',
    'retarus.net',
    'srfax.com',
    'myfax.com'
  )
  and headers.auth_summary.dmarc.pass
)
MQL Rule Console
•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Share

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.

Get Started