Brand impersonation: Amazon Web Services (AWS)
Detects messages impersonating AWS through similar display names combined with security-themed content and authentication failures. Excludes legitimate AWS communications and trusted senders.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Amazon Web Services (AWS)"
2description: "Detects messages impersonating AWS through similar display names combined with security-themed content and authentication failures. Excludes legitimate AWS communications and trusted senders."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and regex.icontains(strings.replace_confusables(sender.display_name),
8 '\baws\b|amazon web services|\bses\b'
9 )
10 and (
11 // ML Topic Analysis and Credential Theft Detection
12 any(ml.nlu_classifier(body.current_thread.text).topics,
13 .name in ("Security and Authentication", "Secure Message")
14 and .confidence == "high"
15 )
16 or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
17 .name in ("Security and Authentication", "Secure Message")
18 and .confidence == "high"
19 and beta.ocr(file.message_screenshot()).text != ""
20 )
21 or any(ml.nlu_classifier(body.current_thread.text).intents,
22 .name == "cred_theft" and .confidence == "high"
23 )
24 or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
25 .name == "cred_theft" and .confidence == "high"
26 )
27 )
28 // Not from legitimate AWS domains
29 // there was a DMARC check here, but a lot of users send AWS notifications to groups/mailing lists that breaks DMARC
30 and not (
31 sender.email.domain.root_domain in $org_domains
32 or sender.email.domain.root_domain in (
33 "amazon.com",
34 "amazonaws.com",
35 "amazonses.com",
36 "awsevents.com",
37 "aws-experience.com",
38 "marketplace.aws",
39 "aws.com",
40 "amazonaws.cn",
41 "repost.aws",
42 "awscustomercouncil.com",
43 "airtableemail.com", // used for re:Invent
44 "nmls.org", // "state examination system", realtor software
45 "mktgcampaigns.com", // Elastic + AWS co-marketing emails
46 "awseducate.com",
47 "awsacademy.com"
48 )
49 or sender.email.domain.tld == "local"
50 )
51 // negate highly trusted sender domains unless they fail DMARC authentication
52 and (
53 (
54 sender.email.domain.root_domain in $high_trust_sender_root_domains
55 and not headers.auth_summary.dmarc.pass
56 )
57 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
58 )
59 and not profile.by_sender().solicited
60
61attack_types:
62 - "Credential Phishing"
63tactics_and_techniques:
64 - "Impersonation: Brand"
65 - "Social engineering"
66detection_methods:
67 - "Content analysis"
68 - "Header analysis"
69 - "Optical Character Recognition"
70 - "Sender analysis"
71 - "Natural Language Understanding"
72id: "31de94e0-8c93-5408-929f-f448eea91830"