type.inbound
and (
// sender display name is a strong enough indicator
// that it can be used without any other impersonation logic
(
regex.icontains(sender.display_name,
'facebook ?ads',
'facebook ?business',
'meta ?account',
'meta ?help',
'meta ?support',
'meta ?business',
'meta ?for ?business',
'meta ?policy',
'page ?ads ?support',
'Instagram ?Not',
'Instagram ?Policies',
'Instagram ?Report',
'Instagram ?Helpdesk',
'Instagram ?Support',
'Ads ?Team',
'Meta & Coursera',
'Compliance & Security',
'meta.*inc',
'meta ?copyright',
'meta ?compliance',
'meta ?pro',
'meta ?certify',
'social.?media.?(master|expert|pro|guru)',
'meta.?(social|skill|ads).?(star|set|expert)'
)
or strings.ilevenshtein(sender.display_name, 'facebook ads') <= 2
or strings.ilevenshtein(sender.display_name, 'facebook business') <= 2
or (
strings.levenshtein(sender.display_name, 'Meta Support') <= 2
// negation for Zeta Support
and not (
sender.display_name == "Zeta Support"
and sender.email.domain.root_domain == 'zetaglobal.net'
)
and not (
sender.display_name == "Veza Support"
and sender.email.domain.root_domain == 'veza.com'
and headers.auth_summary.dmarc.pass
)
and not sender.display_name == "Get Support"
)
or strings.ilike(sender.email.domain.domain, '*facebook*')
or strings.ilike(sender.email.local_part,
"*instagramlive*",
"*facebooksupport*"
)
)
// the use of these keywords (facebook, meta, meta.*support)
// or the levenshtein distance to facebook
// are less strong and thus need to be combined with logo detection or nlu
or (
(
(
regex.icontains(sender.display_name,
'\bf[\p{Mn}\p{Cf}]*a[\p{Mn}\p{Cf}]*c[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*b[\p{Mn}\p{Cf}]*o[\p{Mn}\p{Cf}]*o[\p{Mn}\p{Cf}]*k[\p{Mn}\p{Cf}]*\b',
'\bm[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*t[\p{Mn}\p{Cf}]*a[\p{Mn}\p{Cf}]*\b',
'\bm[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*t[\p{Mn}\p{Cf}]*a[\p{Mn}\p{Cf}]*.*support',
'\binstagr(am)?\b'
)
// negate metageek.com
and not (
strings.icontains(sender.display_name, 'MetaGeek Support')
and sender.email.domain.root_domain == "metageek.com"
)
)
or strings.ilevenshtein(sender.display_name, 'facebook') <= 2
)
and (
any(ml.logo_detect(file.message_screenshot()).brands,
.name in ("Facebook", "Meta", "Instagram", "Threads")
)
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name in ("cred_theft", "callback_scam", "steal_pii")
and .confidence in ("medium", "high")
)
or (
length(body.current_thread.text) < 2000
and regex.icontains(body.current_thread.text,
"(?:violation|infringe|copyright)"
)
)
or any(body.links, .href_url.domain.root_domain == "rebrand.ly")
)
)
// salesforce sender combined with logo detection and nlu is enough
or (
sender.email.domain.root_domain == "salesforce.com"
and any(ml.logo_detect(file.message_screenshot()).brands,
.name in ("Facebook", "Meta", "Instagram", "Threads")
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name in ("cred_theft", "callback_scam", "steal_pii")
and .confidence in ("medium", "high")
)
)
or
// or the body contains a facebook/meta footer with the address citing "community support"
(
regex.icontains(body.current_thread.text,
'(1\s+(Facebook|Meta)?\s*Way|1601\s+Willow\s+Rd?).*Menlo\s+Park.*CA.*94025'
)
// and it contains a link to spawn a chat with facebook - this is not the way support operates
and (
any(body.links,
strings.ends_with(.href_url.domain.domain, 'facebook.com')
and strings.starts_with(.href_url.path, '/msg/')
)
or (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name in ("cred_theft", "callback_scam", "steal_pii")
and .confidence in ("high")
)
)
or any(recipients.to,
.email.domain.valid
and any(body.links,
strings.icontains(.href_url.url, ..email.email)
or any(beta.scan_base64(.href_url.url,
format="url",
ignore_padding=true
),
strings.icontains(., ...email.email)
)
or any(beta.scan_base64(.href_url.fragment,
ignore_padding=true
),
strings.icontains(., ...email.email)
)
)
)
)
)
// we've seen advertising "advice/recommendations"
or (
all(ml.nlu_classifier(body.current_thread.text).topics,
.name in ("Advertising and Promotions", "Reminders and Notifications")
)
// Meta mention
and (
any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "org" and strings.icontains(.text, 'Community Guidelines')
)
or regex.icontains(body.current_thread.text,
'(1\s+(Facebook|Meta)?\s*Way|1601\s+Willow\s+Rd?).*Menlo\s+Park.*CA.*94025'
)
)
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "urgency"
)
)
or (
strings.icontains(body.current_thread.text, "Meta Professional Certificate")
and strings.icontains(body.current_thread.text, "Meta & Coursera Team")
// Add link validation
and any(body.links,
strings.icontains(.display_text, "coursera")
and .href_url.domain.root_domain != "coursera.org"
)
)
or 2 of (
strings.icontains(body.current_thread.text, 'Meta'),
strings.icontains(body.current_thread.text, '1602 Willow Road'),
strings.icontains(body.current_thread.text, 'Menlo Park, CA 91024'),
)
)
and sender.email.domain.root_domain not in~ (
'facebook.com',
'facebookmail.com',
'eventsatfacebook.com',
'facebookenterprise.com',
'meta.com',
'metamail.com',
'instagram.com',
'medallia.com',
'fbworkmail.com',
'workplace.com',
'capterra.com', // they mention "Community Guidelines"
'facebookblueprint.com',
'metaenterprisemail.com',
'pigfacebookstore.com.au', // unrelated domain but hitting on facebook
'metacompliance.com',
'metaprop.com' // unrelated domain but hitting on meta pro
)
// negate metaenterprise links
and not any(headers.reply_to, .email.email == "noreply@facebookmail.com")
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
// salesforce has been abused for meta phishing campaigns repeatedly
or sender.email.domain.root_domain == "salesforce.com"
)
and not profile.by_sender().any_messages_benign
Playground
Test against your own EMLs or sample data.