Brand impersonation: Amazon Web Services (AWS)
Detects messages impersonating AWS through similar display names combined with security-themed content and authentication failures. Excludes legitimate AWS communications and trusted senders.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Amazon Web Services (AWS)"
2description: "Detects messages impersonating AWS through similar display names combined with security-themed content and authentication failures. Excludes legitimate AWS communications and trusted senders."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and regex.icontains(strings.replace_confusables(sender.display_name),
8 '\baws\b|amazon web services|\bses\b'
9 )
10 and (
11 // ML Topic Analysis and Credential Theft Detection
12 any(ml.nlu_classifier(body.current_thread.text).topics,
13 .name in ("Security and Authentication", "Secure Message")
14 and .confidence == "high"
15 )
16 or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
17 .name in ("Security and Authentication", "Secure Message")
18 and .confidence == "high"
19 and beta.ocr(file.message_screenshot()).text != ""
20 )
21 or any(ml.nlu_classifier(body.current_thread.text).intents,
22 .name == "cred_theft" and .confidence == "high"
23 )
24 or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
25 .name == "cred_theft" and .confidence == "high"
26 )
27 )
28 // Not from legitimate AWS domains
29 // there was a DMARC check here, but a lot of users send AWS notifications to groups/mailing lists that breaks DMARC
30 and not (
31 sender.email.domain.root_domain in $org_domains
32 or sender.email.domain.root_domain in (
33 "amazon.com",
34 "amazonaws.com",
35 "amazonses.com",
36 "awsevents.com",
37 "awsmp-seller-conference.com",
38 "aws-experience.com",
39 "marketplace.aws",
40 "aws.com",
41 "amazonaws.cn",
42 "repost.aws",
43 "awscustomercouncil.com",
44 "airtableemail.com", // used for re:Invent
45 "nmls.org", // "state examination system", realtor software
46 "mktgcampaigns.com", // Elastic + AWS co-marketing emails
47 "awseducate.com",
48 "awsacademy.com"
49 )
50 or sender.email.domain.tld == "local"
51 )
52 // negate highly trusted sender domains unless they fail DMARC authentication
53 and (
54 (
55 sender.email.domain.root_domain in $high_trust_sender_root_domains
56 and not headers.auth_summary.dmarc.pass
57 )
58 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
59 )
60 // sender email specific
61 and not (
62 profile.by_sender_email().solicited
63 // sender domain specific
64 or (
65 profile.by_sender().solicited
66 // 30 day decay
67 and (profile.by_sender().days_since.last_contact < 30)
68 )
69 )
70
71attack_types:
72 - "Credential Phishing"
73tactics_and_techniques:
74 - "Impersonation: Brand"
75 - "Social engineering"
76detection_methods:
77 - "Content analysis"
78 - "Header analysis"
79 - "Optical Character Recognition"
80 - "Sender analysis"
81 - "Natural Language Understanding"
82id: "31de94e0-8c93-5408-929f-f448eea91830"