type.inbound
and (
// sender display name is a strong enough indicator
// that it can be used without any other impersonation logic
(
regex.icontains(sender.display_name,
// this regex looks for a commonly abused phrase starting with 'meta', potentially containing a version of the word 'verified', followed by phrases that have been observed in campaigns.
'\bm.?e.?t.?a\b.*(?:verif(?:y|i(?:cado|ed)))?.*\b(?:recruiting|certification|trust|safety|badge|alert|advertising|compliance|copyright|enforcement|intellectual|rights|account|help|support|service|business|policy|Vérifié|certify|inc|help[ -]?desk)\b',
// this regex also looks for a commonly abused phrase starting with 'meta', followed by a phrase, then 'team' with no separating spaces.
'\bm.?e.?t.?a(?:recruiting|pro|certification|trust|safety|badge|alert|advertising|compliance|copyright|enforcement|intellectual|rights|service|account|help|support|business|policy)team',
// this regex is similar to the first in this section, but starts with facebook instead of meta
'\bf.?a.?c.?e.?b.?o.?o.?k\b.*(?:verif(?:y|i(?:cado|ed)))?.*\b(?:recruiting|ads[ -]?team|certification|trust|safety|badge|alert|advertising|compliance|copyright|enforcement|intellectual|rights|service|account|help|support|business|policy|Vérifié|certify|inc|help[ -]?desk)\b',
'^[a-z]+ from \bmeta$',
'page ?ads ?support',
'Instagram\s*(?:Not|Policies|Report|Helpdesk|Support)',
'\bMeta & Coursera',
'Compliance & Security',
'social.?media.?\b(?:master|expert|pro|guru)\b',
'\bmeta\b.?(?:social|skill|ads).?(?:star|set|expert)'
)
or (
regex.icontains(sender.display_name,
"f\u{200a}?a\u{200a}?c\u{200a}?e\u{200a}?b\u{200a}?o\u{200a}?o\u{200a}?k"
)
and not strings.icontains(sender.display_name, 'facebook')
)
or strings.contains(sender.display_name, "\u{24C2}")
or strings.ilevenshtein(sender.display_name, 'facebook ads') <= 2
or strings.ilevenshtein(sender.display_name, 'facebook business') <= 2
or strings.ilike(sender.email.domain.domain, '*facebook*')
or strings.ilike(sender.email.local_part,
"*instagramlive*",
"*facebooksupport*"
)
or strings.icontains(sender.email.domain.subdomain, 'meta-')
)
// the use of these keywords (facebook, instagram)
// or the levenshtein distance to facebook
// are less strong and thus need to be combined with logo detection or nlu
or (
(
regex.icontains(sender.display_name,
'\bf[\p{Mn}\p{Cf}]*a[\p{Mn}\p{Cf}]*c[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*b[\p{Mn}\p{Cf}]*o[\p{Mn}\p{Cf}]*o[\p{Mn}\p{Cf}]*k[\p{Mn}\p{Cf}]*\b',
'\binstagr(am)?\b',
'\bm[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*t[\p{Mn}\p{Cf}]*a\b'
)
or strings.ilevenshtein(sender.display_name, 'facebook') <= 2
or sender.email.email == 'noreply@appsheet.com'
)
and 2 of (
any(ml.logo_detect(file.message_screenshot()).brands,
.name in ("Facebook", "Meta", "Instagram", "Threads")
),
any(ml.nlu_classifier(body.current_thread.text).intents,
.name in ("cred_theft", "callback_scam", "steal_pii")
and .confidence in ("medium", "high")
),
(
length(body.current_thread.text) < 2000
and regex.icontains(body.current_thread.text, "(?:violation|infringe)")
),
regex.icontains(subject.base,
'\b(?:recruiting|permanently|locked|certification|trust|safety|badge|alert|advertising|compliance|copyright|enforcement|intellectual|rights|account|help|support|business|policy|verif(?:y|i(?:cado|ed))|Vérifié|Trademark|Misuse|Review|Violation|Warning|Restriction|Inappropriate|service|Content|multiple reports)\b'
),
any(body.links,
.href_url.domain.root_domain in $self_service_creation_platform_domains
or .href_url.domain.root_domain in $free_file_hosts
or .href_url.domain.root_domain in $free_subdomain_hosts
or .href_url.domain.root_domain in $url_shorteners
),
sender.email.domain.root_domain in $free_email_providers
)
)
// salesforce sender combined with logo detection and nlu is enough
or (
sender.email.domain.root_domain == "salesforce.com"
and any(ml.logo_detect(file.message_screenshot()).brands,
.name in ("Facebook", "Meta", "Instagram", "Threads")
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name in ("cred_theft", "callback_scam", "steal_pii")
and .confidence in ("medium", "high")
)
)
or
// or the body contains a facebook/meta footer with the address citing "community support"
(
(
regex.icontains(body.current_thread.text,
'(?:1\s+(?:Facebook|Hacker|Meta)?\s*Way|1601\s+Willow\s+Rd?).*Menlo\s+Park.*CA.*94025'
)
or (
regex.icontains(body.current_thread.text,
'(?:Security Team © Meta|Meta Support Team)'
)
)
)
// and it contains a link to spawn a chat with facebook - this is not the way support operates
and (
any(body.links,
strings.ends_with(.href_url.domain.domain, 'facebook.com')
and strings.starts_with(.href_url.path, '/msg/')
)
or (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name in ("cred_theft", "callback_scam", "steal_pii")
and .confidence in ("high")
)
)
or any(recipients.to,
.email.domain.valid
and any(body.links,
strings.icontains(.href_url.url, ..email.email)
or any(beta.scan_base64(.href_url.url,
format="url",
ignore_padding=true
),
strings.icontains(., ...email.email)
)
or any(beta.scan_base64(.href_url.fragment,
ignore_padding=true
),
strings.icontains(., ...email.email)
)
)
)
)
)
// we've seen advertising "advice/recommendations"
or (
all(ml.nlu_classifier(body.current_thread.text).topics,
.name in ("Advertising and Promotions", "Reminders and Notifications")
)
// Meta mention
and (
any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "org" and strings.icontains(.text, 'Community Guidelines')
)
or regex.icontains(body.current_thread.text,
'(1\s+(Facebook|Hacker|\bMeta\b)?\s*Way|1601\s+Willow\s+Rd?).*Menlo\s+Park.*CA.*94025'
)
)
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "urgency"
)
)
or (
strings.icontains(body.current_thread.text, "Meta Professional Certificate")
and strings.icontains(body.current_thread.text, "Meta & Coursera Team")
// Add link validation
and any(body.links,
strings.icontains(.display_text, "coursera")
and .href_url.domain.root_domain != "coursera.org"
)
)
or 2 of (
strings.icontains(body.current_thread.text, 'Meta '),
strings.icontains(body.current_thread.text, '1602 Willow Road'),
strings.icontains(body.current_thread.text, 'Menlo Park, CA 91024'),
)
)
and sender.email.domain.root_domain not in~ (
'facebook.com',
'facebookmail.com',
'eventsatfacebook.com',
'facebookenterprise.com',
'meta.com',
'metamail.com',
'instagram.com',
'medallia.com',
'fbworkmail.com',
'workplace.com',
'capterra.com', // they mention "Community Guidelines"
'facebookblueprint.com',
'metaenterprisemail.com',
'pigfacebookstore.com.au', // unrelated domain but hitting on facebook
'metacompliance.com',
'metaprop.com', // unrelated domain but hitting on meta pro
'oakley.com', // meta intelligence glasses
'facebookuserprivacysettlement.com', // fb settlement website
'perceptyx.com', // ai employee engagement
'unroll.me', // unroll contains instagram logo
'har.com' // facebook ads management
)
// negate metaenterprise links
and not any(headers.reply_to, .email.email == "noreply@facebookmail.com")
// meta wiki renamer
and not (
sender.display_name == 'Meta-Wiki'
and sender.email.domain.root_domain == 'wikimedia.org'
)
// we dont want emails where all the links go to meta domains
and not (
(
length(body.links) > 1
and all(body.links,
.href_url.domain.root_domain in (
'facebook.com',
'instagram.com',
'meta.com'
)
and not strings.istarts_with(.href_url.path, '/share/')
)
)
// too many links
or length(body.links) > 20
)
// no previous threads
and length(body.previous_threads) == 0
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
// salesforce has been abused for meta phishing campaigns repeatedly
or sender.email.domain.root_domain == "salesforce.com"
)
Playground
Test against your own EMLs or sample data.