From 26ee6690d593a52c6b9e92294eea3255d0e11ff0 Mon Sep 17 00:00:00 2001 From: Luke Wescott <69780712+IndiaAce@users.noreply.github.com> Date: Wed, 29 Oct 2025 15:18:49 -0400 Subject: [PATCH 1/7] Create first pass of meta business abuse rule --- detection-rules/service_abuse_meta_business.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 detection-rules/service_abuse_meta_business.yml diff --git a/detection-rules/service_abuse_meta_business.yml b/detection-rules/service_abuse_meta_business.yml new file mode 100644 index 00000000000..f5df7d9ecb2 --- /dev/null +++ b/detection-rules/service_abuse_meta_business.yml @@ -0,0 +1,17 @@ +name: "Service abuse: Facebook business with action required subject" +description: "Detects messages from the Facebook business domain containing 'action required' in the subject line, commonly used to create urgency in impersonation attacks." +type: "rule" +severity: "medium" +source: | + strings.icontains(subject.subject, "action required") + and sender.email.email == "noreply@business.facebook.com" +tags: + - "Attack surface reduction" +attack_types: + - "Credential Phishing" +tactics_and_techniques: + - "Impersonation: Brand" + - "Social engineering" +detection_methods: + - "Content analysis" + - "Sender analysis" From 3ed229ec0380d9a6703c10455b5a15c045ad7aa5 Mon Sep 17 00:00:00 2001 From: ID Generator Date: Wed, 29 Oct 2025 19:28:34 +0000 Subject: [PATCH 2/7] Auto add rule ID --- detection-rules/service_abuse_meta_business.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/detection-rules/service_abuse_meta_business.yml b/detection-rules/service_abuse_meta_business.yml index f5df7d9ecb2..ec8f74cf927 100644 --- a/detection-rules/service_abuse_meta_business.yml +++ b/detection-rules/service_abuse_meta_business.yml @@ -15,3 +15,4 @@ tactics_and_techniques: detection_methods: - "Content analysis" - "Sender analysis" +id: "64297d2f-a5bd-5336-8db7-ec00df59411f" From ff48e10c093edfd7dcb261bd6686551d52d940e9 Mon Sep 17 00:00:00 2001 From: Luke Wescott <69780712+IndiaAce@users.noreply.github.com> Date: Thu, 30 Oct 2025 12:14:16 -0400 Subject: [PATCH 3/7] Update service_abuse_meta_business.yml --- detection-rules/service_abuse_meta_business.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/detection-rules/service_abuse_meta_business.yml b/detection-rules/service_abuse_meta_business.yml index ec8f74cf927..149b07c17c4 100644 --- a/detection-rules/service_abuse_meta_business.yml +++ b/detection-rules/service_abuse_meta_business.yml @@ -3,7 +3,8 @@ description: "Detects messages from the Facebook business domain containing 'act type: "rule" severity: "medium" source: | - strings.icontains(subject.subject, "action required") + type.inbound + and strings.icontains(subject.subject, "action required") and sender.email.email == "noreply@business.facebook.com" tags: - "Attack surface reduction" From 5cf6aee8a3ae31180052fe8eaf0a33279c0a2e25 Mon Sep 17 00:00:00 2001 From: Luke Wescott <69780712+IndiaAce@users.noreply.github.com> Date: Thu, 30 Oct 2025 16:39:42 -0400 Subject: [PATCH 4/7] Update service_abuse_meta_business.yml --- detection-rules/service_abuse_meta_business.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/detection-rules/service_abuse_meta_business.yml b/detection-rules/service_abuse_meta_business.yml index 149b07c17c4..7c30ed3e365 100644 --- a/detection-rules/service_abuse_meta_business.yml +++ b/detection-rules/service_abuse_meta_business.yml @@ -4,8 +4,19 @@ type: "rule" severity: "medium" source: | type.inbound - and strings.icontains(subject.subject, "action required") and sender.email.email == "noreply@business.facebook.com" + and ( + // and the link is recently registered + any(body.links, network.whois(.href_url.domain).days_old <= 30) + or any(body.links, + // if the link is still active, check if it's cred theft + any(ml.nlu_classifier(beta.ocr(ml.link_analysis(.).screenshot).text).intents, + .name == "cred_theft" and .confidence != "low" + ) + ) + // or look for the legit Meta footer address + or strings.icontains(body.plain.raw, 'Community Support, 1 Meta Way, Menlo Park, CA 94025') + ) tags: - "Attack surface reduction" attack_types: From 27bb830e5680c97c9c5b2023f41395a62df638f1 Mon Sep 17 00:00:00 2001 From: Luke Wescott <69780712+IndiaAce@users.noreply.github.com> Date: Thu, 30 Oct 2025 16:41:17 -0400 Subject: [PATCH 5/7] Update service_abuse_meta_business.yml --- detection-rules/service_abuse_meta_business.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/service_abuse_meta_business.yml b/detection-rules/service_abuse_meta_business.yml index 7c30ed3e365..1f881b0e1a3 100644 --- a/detection-rules/service_abuse_meta_business.yml +++ b/detection-rules/service_abuse_meta_business.yml @@ -15,7 +15,7 @@ source: | ) ) // or look for the legit Meta footer address - or strings.icontains(body.plain.raw, 'Community Support, 1 Meta Way, Menlo Park, CA 94025') + or strings.icontains(body.plain.raw, '1 Meta Way, Menlo Park, CA 94025') ) tags: - "Attack surface reduction" From 63c4803803428814e4eec63dca81c18a137f413b Mon Sep 17 00:00:00 2001 From: Luke Wescott <69780712+IndiaAce@users.noreply.github.com> Date: Thu, 30 Oct 2025 16:45:18 -0400 Subject: [PATCH 6/7] Update service_abuse_meta_business.yml --- detection-rules/service_abuse_meta_business.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detection-rules/service_abuse_meta_business.yml b/detection-rules/service_abuse_meta_business.yml index 1f881b0e1a3..b05e5ee8545 100644 --- a/detection-rules/service_abuse_meta_business.yml +++ b/detection-rules/service_abuse_meta_business.yml @@ -15,7 +15,7 @@ source: | ) ) // or look for the legit Meta footer address - or strings.icontains(body.plain.raw, '1 Meta Way, Menlo Park, CA 94025') + or strings.icontains(body.current_thread.text, '1 Meta Way, Menlo Park, CA 94025') ) tags: - "Attack surface reduction" From 442af447bd9b47c5eafb13247bfa791722fbf79b Mon Sep 17 00:00:00 2001 From: Luke Wescott <69780712+IndiaAce@users.noreply.github.com> Date: Fri, 7 Nov 2025 09:17:31 -0500 Subject: [PATCH 7/7] Update service_abuse_meta_business with further refinements, adding a 3 of to catch variants in current_thread.text and subject lines. Also adding additional root_domain found --- .../service_abuse_meta_business.yml | 20 ++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/detection-rules/service_abuse_meta_business.yml b/detection-rules/service_abuse_meta_business.yml index b05e5ee8545..93f2c5e5ee8 100644 --- a/detection-rules/service_abuse_meta_business.yml +++ b/detection-rules/service_abuse_meta_business.yml @@ -4,9 +4,21 @@ type: "rule" severity: "medium" source: | type.inbound - and sender.email.email == "noreply@business.facebook.com" and ( - // and the link is recently registered + sender.email.domain.root_domain == "facebook.com" + or sender.email.domain.root_domain == "facebookmail.com" + ) + and 3 of ( + strings.icontains(subject.subject, "Action required"), + strings.icontains(subject.subject, "invited to join"), + strings.icontains(body.current_thread.text, "You've been invited"), + strings.icontains(body.current_thread.text, "You're invited"), + strings.icontains(body.current_thread.text, + "not part of or affiliated with Meta" + ) + ) + and ( + // and the link is recently registered any(body.links, network.whois(.href_url.domain).days_old <= 30) or any(body.links, // if the link is still active, check if it's cred theft @@ -15,7 +27,9 @@ source: | ) ) // or look for the legit Meta footer address - or strings.icontains(body.current_thread.text, '1 Meta Way, Menlo Park, CA 94025') + or strings.icontains(body.current_thread.text, + '1 Meta Way, Menlo Park, CA 94025' + ) ) tags: - "Attack surface reduction"