← Back to Explore
sublimemediumRule
Brand impersonation: Fake Fax
Detects messages containing fax-related language and notification elements from senders outside of known legitimate fax service providers.
Detection Query
type.inbound
// Subject or sender contains fax
and (
any([subject.subject, sender.display_name],
regex.icontains(.,
'\bfax\b',
'[ve][[:punct:]]?fax',
'[[:punct:]]fax\b',
'\bfax[[:punct:]]',
'fr[[:punct:]].{0,25}document'
)
)
)
and (
// body.current_thread.text logic
(
( // strong notification terms in either the subject or body.current_thread.text
any([subject.subject, body.current_thread.text],
strings.icontains(., "New Fax Received")
or strings.icontains(., "e-Fax Document")
or strings.icontains(., "Fax Status")
or strings.icontains(., "Fax ID")
or strings.icontains(., "New Fax Document")
or strings.istarts_with(., 'Fax message')
or regex.icontains(.,
'(?:received|have) (a|(?:(.?\d.?))) (?:new )?e?fax'
)
or regex.icontains(., "to view (th(?:e|is) )?(?:fax|message)")
or regex.icontains(.,
'transmit(?:ted|ting)?(?:\s+\w+){0,2}\s+(?:fax|facsimile)',
'(?:fax|facsimile)\s+(?:\s+\w+){0,2}transmit(?:ted|ting)?',
)
)
and (
// combined with above, we should have very high confidence this is a fax message
(
// date
strings.icontains(body.current_thread.text, "Date:")
or strings.icontains(body.current_thread.text, "Time Sent:")
or strings.icontains(body.current_thread.text, "Time Received:")
or strings.icontains(body.current_thread.text, "Received")
// page count
or regex.icontains(body.current_thread.text, "Num(ber)? of Pages?")
or strings.icontains(body.current_thread.text, "Type: PDF")
)
// commonly abused brands
or (
strings.icontains(body.current_thread.text,
"eFax is a registered trademark of Consensus"
)
or strings.icontains(body.current_thread.text, "RingCentral, Inc")
)
// there is a link with the display text of some CTA
or any(body.links,
strings.icontains(.display_text, "open fax")
// review document, view document review and sign document
or regex.icontains(.display_text,
"(?:re)?view (?:(?:&|and) sign )?(?:complete )?document"
)
or strings.icontains(.display_text, "Open document")
)
)
)
// attachment logic
or (
// the body.current_thread.text length is very short (probably just a warning banner)
// and the attachment isn't used in the body of the message
length(body.current_thread.text) < 300
// and there are attachments
and 0 < length(attachments) < 5
// the attachments shouldn't be images which are used in the body of the html
and any(attachments,
strings.icontains(.file_name, 'fax')
or (
// or they are used in the body and OCR on them contains fax wording
// the image is used in the HTML body
.file_type in $file_types_images
and (
any(regex.extract(.content_id, '^\<(.*)\>$'),
any(.groups,
strings.icontains(body.html.raw,
strings.concat('src="cid:', ., '"')
)
)
)
or strings.icontains(body.html.raw, .content_id)
)
and (
// and that image contains fax wording
strings.icontains(beta.ocr(.).text, "New Fax Received")
or strings.icontains(beta.ocr(.).text, "New Fax Document")
or regex.icontains(beta.ocr(.).text,
"(?:received|have) a (?:new )?fax"
)
or regex.icontains(beta.ocr(.).text,
"to view (th(?:e|is) )?(?:fax|message)"
)
or regex.icontains(beta.ocr(.).text,
'transmit(?:ted|ting)?(?:\s+\w+){0,2}\s+(?:fax|facsimile)',
'(?:fax|facsimile)\s+(?:\s+\w+){0,2}transmit(?:ted|ting)?',
)
)
)
)
)
)
)
// negate known fax mailers
and not (
sender.email.domain.root_domain in (
"faxage.com",
'fax2mail.com',
'ringcentral.com',
'ringcentral.biz',
'avaya.com',
'egoldfax.com',
'efax.com',
'hellofax.com',
'mfax.io',
'goto.com',
'faxmessage.net',
'fuze.com',
'retarus.net',
'srfax.com',
'myfax.com',
'8x8.com',
'zoom.us',
'faxhd.com',
'humblefax.com',
'bridge.insure',
'telecomsvc.com'
)
and headers.auth_summary.dmarc.pass
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Brand impersonation: Fake Fax"
description: |
Detects messages containing fax-related language and notification elements from senders outside of known legitimate fax service providers.
references:
- "https://www.hoxhunt.com/blog/fax-phishing"
type: "rule"
severity: "medium"
source: |
type.inbound
// Subject or sender contains fax
and (
any([subject.subject, sender.display_name],
regex.icontains(.,
'\bfax\b',
'[ve][[:punct:]]?fax',
'[[:punct:]]fax\b',
'\bfax[[:punct:]]',
'fr[[:punct:]].{0,25}document'
)
)
)
and (
// body.current_thread.text logic
(
( // strong notification terms in either the subject or body.current_thread.text
any([subject.subject, body.current_thread.text],
strings.icontains(., "New Fax Received")
or strings.icontains(., "e-Fax Document")
or strings.icontains(., "Fax Status")
or strings.icontains(., "Fax ID")
or strings.icontains(., "New Fax Document")
or strings.istarts_with(., 'Fax message')
or regex.icontains(.,
'(?:received|have) (a|(?:(.?\d.?))) (?:new )?e?fax'
)
or regex.icontains(., "to view (th(?:e|is) )?(?:fax|message)")
or regex.icontains(.,
'transmit(?:ted|ting)?(?:\s+\w+){0,2}\s+(?:fax|facsimile)',
'(?:fax|facsimile)\s+(?:\s+\w+){0,2}transmit(?:ted|ting)?',
)
)
and (
// combined with above, we should have very high confidence this is a fax message
(
// date
strings.icontains(body.current_thread.text, "Date:")
or strings.icontains(body.current_thread.text, "Time Sent:")
or strings.icontains(body.current_thread.text, "Time Received:")
or strings.icontains(body.current_thread.text, "Received")
// page count
or regex.icontains(body.current_thread.text, "Num(ber)? of Pages?")
or strings.icontains(body.current_thread.text, "Type: PDF")
)
// commonly abused brands
or (
strings.icontains(body.current_thread.text,
"eFax is a registered trademark of Consensus"
)
or strings.icontains(body.current_thread.text, "RingCentral, Inc")
)
// there is a link with the display text of some CTA
or any(body.links,
strings.icontains(.display_text, "open fax")
// review document, view document review and sign document
or regex.icontains(.display_text,
"(?:re)?view (?:(?:&|and) sign )?(?:complete )?document"
)
or strings.icontains(.display_text, "Open document")
)
)
)
// attachment logic
or (
// the body.current_thread.text length is very short (probably just a warning banner)
// and the attachment isn't used in the body of the message
length(body.current_thread.text) < 300
// and there are attachments
and 0 < length(attachments) < 5
// the attachments shouldn't be images which are used in the body of the html
and any(attachments,
strings.icontains(.file_name, 'fax')
or (
// or they are used in the body and OCR on them contains fax wording
// the image is used in the HTML body
.file_type in $file_types_images
and (
any(regex.extract(.content_id, '^\<(.*)\>$'),
any(.groups,
strings.icontains(body.html.raw,
strings.concat('src="cid:', ., '"')
)
)
)
or strings.icontains(body.html.raw, .content_id)
)
and (
// and that image contains fax wording
strings.icontains(beta.ocr(.).text, "New Fax Received")
or strings.icontains(beta.ocr(.).text, "New Fax Document")
or regex.icontains(beta.ocr(.).text,
"(?:received|have) a (?:new )?fax"
)
or regex.icontains(beta.ocr(.).text,
"to view (th(?:e|is) )?(?:fax|message)"
)
or regex.icontains(beta.ocr(.).text,
'transmit(?:ted|ting)?(?:\s+\w+){0,2}\s+(?:fax|facsimile)',
'(?:fax|facsimile)\s+(?:\s+\w+){0,2}transmit(?:ted|ting)?',
)
)
)
)
)
)
)
// negate known fax mailers
and not (
sender.email.domain.root_domain in (
"faxage.com",
'fax2mail.com',
'ringcentral.com',
'ringcentral.biz',
'avaya.com',
'egoldfax.com',
'efax.com',
'hellofax.com',
'mfax.io',
'goto.com',
'faxmessage.net',
'fuze.com',
'retarus.net',
'srfax.com',
'myfax.com',
'8x8.com',
'zoom.us',
'faxhd.com',
'humblefax.com',
'bridge.insure',
'telecomsvc.com'
)
and headers.auth_summary.dmarc.pass
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Image as content"
- "Free file host"
- "Free subdomain host"
- "Social engineering"
detection_methods:
- "Computer Vision"
- "Content analysis"
- "Optical Character Recognition"
- "Sender analysis"
- "URL analysis"
id: "2a96b90a-64bf-52ad-b4e4-6f1e8c1dcba6"