Service abuse: Amazon invitation with suspected callback phishing
Detects Amazon's no-reply address with a subject about invitation sending, containing phone numbers within HTML header elements. This pattern is commonly used to trick recipients into calling fraudulent customer service numbers.
Sublime rule (View on GitHub)
1name: "Service abuse: Amazon invitation with suspected callback phishing"
2description: "Detects Amazon's no-reply address with a subject about invitation sending, containing phone numbers within HTML header elements. This pattern is commonly used to trick recipients into calling fraudulent customer service numbers."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and sender.email.email == 'no-reply@amazon.com'
8 and subject.base == 'Your invitation has been sent'
9 and any(html.xpath(body.html, "//h2[contains(@class, 'rio-header')]").nodes,
10 // phone number regex
11 regex.icontains(strings.replace_confusables(.display_text),
12 '\+?(?:[ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
13 '\+?(?:[ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
14 )
15 )
16attack_types:
17 - "Callback Phishing"
18tactics_and_techniques:
19 - "Out of band pivot"
20 - "Social engineering"
21detection_methods:
22 - "Content analysis"
23 - "HTML analysis"
24 - "Sender analysis"
25id: "f9eff808-2bc7-5ec0-90a0-bb27eacca323"