Low Severity
Brand Impersonation: Meta and Subsidiaries
Description
Impersonation of Meta or Meta's subsidiaries Facebook and Instagram.
References
Sublime Security
Created Aug 17th, 2023 • Last updated Jul 9th, 2025
Feed Source
Sublime Core Feed
Source
type.inbound
and (
// sender display name is a strong enough indicator
// that it can be used without any other impersonation logic
(
regex.icontains(sender.display_name,
'facebook ?ads',
'facebook ?business',
'meta ?account',
'meta ?support',
'meta ?business',
'meta ?for ?business',
'meta ?policy',
'page ?ads ?support',
'Instagram ?Not',
'Instagram ?Policies',
'Instagram ?Report',
'Instagram ?Helpdesk',
'Instagram ?Support',
'Ads ?Team'
)
or strings.ilevenshtein(sender.display_name, 'facebook ads') <= 2
or strings.ilevenshtein(sender.display_name, 'facebook business') <= 2
or (
strings.levenshtein(sender.display_name, 'Meta Support') <= 2
// negation for Zeta Support
and not (
sender.display_name == "Zeta Support"
and sender.email.domain.root_domain == 'zetaglobal.net'
)
)
or strings.ilike(sender.email.domain.domain, '*facebook*')
or strings.ilike(sender.email.local_part,
"*instagramlive*",
"*facebooksupport*"
)
)
// the use of these keywords (facebook, meta, meta.*support)
// or the levenshtein distance to facebook
// are less strong and thus need to be combined with logo detection or nlu
or (
(
(
regex.icontains(sender.display_name,
'\bf[\p{Mn}\p{Cf}]*a[\p{Mn}\p{Cf}]*c[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*b[\p{Mn}\p{Cf}]*o[\p{Mn}\p{Cf}]*o[\p{Mn}\p{Cf}]*k[\p{Mn}\p{Cf}]*\b',
'\bm[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*t[\p{Mn}\p{Cf}]*a[\p{Mn}\p{Cf}]*\b',
'\bm[\p{Mn}\p{Cf}]*e[\p{Mn}\p{Cf}]*t[\p{Mn}\p{Cf}]*a[\p{Mn}\p{Cf}]*.*support',
'\binstagr(am)?\b'
)
// negate metageek.com
and not (
strings.icontains(sender.display_name, 'MetaGeek Support')
and sender.email.domain.root_domain == "metageek.com"
)
)
or strings.ilevenshtein(sender.display_name, 'facebook') <= 2
)
and (
any(ml.logo_detect(beta.message_screenshot()).brands,
.name in ("Facebook", "Meta", "Instagram", "Threads")
)
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name in ("cred_theft", "callback_scam", "steal_pii")
and .confidence in ("medium", "high")
)
or regex.icontains(body.plain.raw, "(violation|infringe|copyright)")
or any(body.links, .href_url.domain.root_domain == "rebrand.ly")
)
)
// salesforce sender combined with logo detection and nlu is enough
or (
sender.email.domain.root_domain == "salesforce.com"
and any(ml.logo_detect(beta.message_screenshot()).brands,
.name in ("Facebook", "Meta", "Instagram", "Threads")
)
and any(ml.nlu_classifier(body.current_thread.text).intents,
.name in ("cred_theft", "callback_scam", "steal_pii")
and .confidence in ("medium", "high")
)
)
or
// or the body contains a facebook/meta footer with the address citing "community support"
(
regex.icontains(body.current_thread.text,
'(1\s+(Facebook|Meta)?\s*Way|1601\s+Willow\s+Rd?).*Menlo\s+Park.*CA.*94025'
)
// and it contains a link to spawn a chat with facebook - this is not the way support operates
and (
any(body.links,
strings.ends_with(.href_url.domain.domain, 'facebook.com')
and strings.starts_with(.href_url.path, '/msg/')
)
or (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name in ("cred_theft", "callback_scam", "steal_pii")
and .confidence in ("high")
)
)
or any(recipients.to,
.email.domain.valid
and any(body.links,
strings.icontains(.href_url.url, ..email.email)
or any(beta.scan_base64(.href_url.url,
format="url",
ignore_padding=true
),
strings.icontains(., ...email.email)
)
or any(beta.scan_base64(.href_url.fragment,
ignore_padding=true
),
strings.icontains(., ...email.email)
)
)
)
)
)
// we've seen advertising "advice/recommendations"
or (
all(beta.ml_topic(body.current_thread.text).topics,
.name in ("Advertising and Promotions", "Reminders and Notifications")
)
// Meta mention
and (
any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "org"
and strings.icontains(.text, 'Community Guidelines')
)
or regex.icontains(body.current_thread.text,
'(1\s+(Facebook|Meta)?\s*Way|1601\s+Willow\s+Rd?).*Menlo\s+Park.*CA.*94025'
)
)
and any(ml.nlu_classifier(body.current_thread.text).entities,
.name == "urgency"
)
)
)
and sender.email.domain.root_domain not in~ (
'facebook.com',
'facebookmail.com',
'eventsatfacebook.com',
'facebookenterprise.com',
'meta.com',
'metamail.com',
'instagram.com',
'medallia.com',
'fbworkmail.com',
'workplace.com',
'capterra.com', // they mention "Community Guidelines"
'facebookblueprint.com'
)
// negate metaenterprise links
and not any(headers.reply_to, .email.email == "noreply@facebookmail.com")
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
// salesforce has been abused for meta phishing campaigns repeatedly
or sender.email.domain.root_domain == "salesforce.com"
)
and not profile.by_sender().any_messages_benign
Playground
Test against your own EMLs or sample data.