Medium Severity
Brand Impersonation: Fake Fax
Description
Detects messages containing fax-related language and notification elements from senders outside of known legitimate fax service providers.
Sublime Security
Created Aug 17th, 2023 • Last updated Apr 25th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
// not a reply/fwd
and length(headers.references) == 0
and headers.in_reply_to is null
// Subject or sender contains fax
and (
any([subject.subject, sender.display_name],
regex.icontains(.,
'\bfax\b',
'[ve][[:punct:]]?fax',
'[[:punct:]]fax\b',
'\bfax[[:punct:]]'
)
)
)
and (
// body.current_thread.text logic
(
( // strong notification terms in either the subject or body.current_thread.text
any([subject.subject, body.current_thread.text],
strings.icontains(., "New Fax Received")
or strings.icontains(., "New Fax Document")
or regex.icontains(., "(?:received|have) a (?:new )?fax")
or regex.icontains(., "to view (th(?:e|is) )?(?:fax|message)")
or regex.icontains(.,
'transmit(?:ted|ting)?(?:\s+\w+){0,2}\s+(?:fax|facsimile)',
'(?:fax|facsimile)\s+(?:\s+\w+){0,2}transmit(?:ted|ting)?',
)
)
and (
// combined with above, we should have very high confidence this is a fax message
(
// date
strings.icontains(body.current_thread.text, "Date:")
or strings.icontains(body.current_thread.text, "Time Sent:")
or strings.icontains(body.current_thread.text, "Time Received:")
or strings.icontains(body.current_thread.text, "Received")
// page count
or regex.icontains(body.current_thread.text, "Num(ber)? of Pages?")
or strings.icontains(body.current_thread.text, "Type: PDF")
)
// commonly abused brands
or (
strings.icontains(body.current_thread.text,
"eFax is a registered trademark of Consensus"
)
or strings.icontains(body.current_thread.text, "RingCentral, Inc")
)
// there is a link with the display text of some CTA
or any(body.links,
strings.icontains(.display_text, "open fax")
// review document, view document review and sign document
or regex.icontains(.display_text,
"(?:re)?view (?:(?:&|and) sign )?document"
)
or strings.icontains(.display_text, "Open document")
)
)
)
// attachment logic
or (
// the body.current_thread.text length is very short (probably just a warning banner)
// and the attachment isn't used in the body of the message
length(body.current_thread.text) < 300
// and there are attachments
and 0 < length(attachments) < 5
// the attachments shouldn't be images which are used in the body of the html
and any(attachments,
strings.icontains(.file_name, 'fax')
or (
// or they are used in the body and OCR on them contains fax wording
// the image is used in the HTML body
.file_type in $file_types_images
and any(regex.extract(.content_id, '^\<(.*)\>$'),
any(.groups,
strings.icontains(body.html.raw,
strings.concat('src="cid:',
.,
'"'
)
)
)
)
and (
// and that image contains fax wording
strings.icontains(beta.ocr(.).text, "New Fax Received")
or strings.icontains(beta.ocr(.).text, "New Fax Document")
or regex.icontains(beta.ocr(.).text,
"(?:received|have) a (?:new )?fax"
)
or regex.icontains(beta.ocr(.).text,
"to view (th(?:e|is) )?(?:fax|message)"
)
or regex.icontains(beta.ocr(.).text,
'transmit(?:ted|ting)?(?:\s+\w+){0,2}\s+(?:fax|facsimile)',
'(?:fax|facsimile)\s+(?:\s+\w+){0,2}transmit(?:ted|ting)?',
)
)
)
)
)
)
)
// negate known fax mailers
and not (
sender.email.domain.root_domain in (
"faxage.com",
'fax2mail.com',
'ringcentral.com',
'avaya.com',
'egoldfax.com',
'efax.com',
'hellofax.com',
'mfax.io',
'goto.com',
'faxmessage.net',
'fuze.com',
'retarus.net',
'srfax.com',
'myfax.com'
)
and headers.auth_summary.dmarc.pass
)
Playground
Test against your own EMLs or sample data.