sublime-security · IndiaAce · Oct 29, 2025 · Oct 29, 2025 · Oct 30, 2025 · Oct 30, 2025
@@ -0,0 +1,44 @@
+name: "Service abuse: Facebook business with action required subject"
+description: "Detects messages from the Facebook business domain containing 'action required' in the subject line, commonly used to create urgency in impersonation attacks."
+type: "rule"
+severity: "medium"
+source: |
+  type.inbound
+  and (
+    sender.email.domain.root_domain == "facebook.com"
+    or sender.email.domain.root_domain == "facebookmail.com"
+  )
+  and 3 of (
+    strings.icontains(subject.subject, "Action required"),
+    strings.icontains(subject.subject, "invited to join"),
+    strings.icontains(body.current_thread.text, "You've been invited"),
+    strings.icontains(body.current_thread.text, "You're invited"),
+    strings.icontains(body.current_thread.text,
+                      "not part of or affiliated with Meta"
+    )
+  )
+  and (
+    // and the link is recently registered
+    any(body.links, network.whois(.href_url.domain).days_old <= 30)
+    or any(body.links,
+           // if the link is still active, check if it's cred theft
+           any(ml.nlu_classifier(beta.ocr(ml.link_analysis(.).screenshot).text).intents,
+               .name == "cred_theft" and .confidence != "low"
+           )
+    )
+    // or look for the legit Meta footer address
+    or strings.icontains(body.current_thread.text,
+                         '1 Meta Way, Menlo Park, CA 94025'
+    )
+  )
+tags:
+ - "Attack surface reduction"
+attack_types:
+  - "Credential Phishing"
+tactics_and_techniques:
+  - "Impersonation: Brand"
+  - "Social engineering"
+detection_methods:
+  - "Content analysis"
+  - "Sender analysis"
+id: "64297d2f-a5bd-5336-8db7-ec00df59411f"