Brand impersonation: Amazon
Impersonation of Amazon. These are most commonly fake shipping notifications. Amazon is the #2 most-impersonated brand (as of Q2 2020)
Sublime rule (View on GitHub)
1name: "Brand impersonation: Amazon"
2description: |
3 Impersonation of Amazon. These are most commonly fake shipping notifications.
4 Amazon is the #2 most-impersonated brand (as of Q2 2020)
5references:
6 - "https://www.pcmag.com/news/google-and-amazon-are-impersonated-the-most-in-phishing-scams"
7 - "https://sellercentral.amazon.com/gp/help/external/32261?language=en-US"
8type: "rule"
9severity: "low"
10source: |
11 type.inbound
12 and not any(headers.hops,
13 any(.fields,
14 .name == 'X-Amazon-Mail-Relay-Type' and .value == "notification"
15 )
16 )
17 and (
18 regex.icontains(sender.display_name,
19 '\b[aaa๐ฐa๏ฝ๐๐ฎ๐๐๐ช๐๐ชะฐษฮฑ๐๐๐ข๐โบ๐ถ๐๐ถ๐ผ๐๐บ]maz[o0]n\s?(pay|marketplace|\.com)|แตโคปแถป'
20 )
21 or strings.ilevenshtein(sender.display_name, 'amazon.com') <= 1
22 or strings.ilevenshtein(sender.display_name, 'amazon pay') <= 1
23 or strings.ilevenshtein(sender.display_name, 'amazon marketplace') <= 1
24 or strings.ilevenshtein(sender.display_name, 'amazon customer support') <= 1
25 or regex.icontains(sender.display_name,
26 "prime (subscription|notification|support)"
27 )
28 or strings.ilike(subject.subject, "*prime membership*")
29 or (
30 strings.ilevenshtein(sender.display_name, 'amazon') <= 1
31 and sender.email.domain.root_domain in $free_email_providers
32 )
33 or (
34 any(ml.nlu_classifier(body.current_thread.text).intents,
35 .name == "cred_theft" and .confidence == "high"
36 )
37 and any(beta.ml_topic(body.current_thread.text).topics,
38 .name in (
39 "Security and Authentication",
40 "Secure Message",
41 "Reminders and Notifications",
42 "Order Confirmations",
43 "Customer Service and Support"
44 )
45 )
46 and strings.icontains(body.current_thread.text, "amazon")
47 )
48 )
49 // negate listservs
50 and not (
51 any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
52 and strings.contains(sender.display_name, "via")
53 )
54 and sender.email.domain.root_domain not in~ (
55 'amazon.com',
56 'amazon.com.au',
57 'amazon.de',
58 'amazon.es',
59 'amazon.fr',
60 'amazon.it',
61 'amazon.in',
62 'amazon.lu',
63 'amazon.nl',
64 'amazonsellerservices.com',
65 'amazon.ae',
66 'amazon.sa',
67 'amazon.com.be',
68 'amazon.com.sg',
69 'amazon.co.uk',
70 'amazon.co.jp',
71 'amazon.com.mx',
72 'amazon.com.br',
73 'amazon.com.tr',
74 'amazon.cn',
75 'amazon.ca',
76 'amazon.sg',
77 'amazonaws.cn',
78 'amazonpay.in',
79 'amazonpay.com',
80 'q4inc.com',
81 'synchronybank.com',
82 'opodo.com',
83 'flynas.com',
84 'amazonmusic.com',
85 'blink.com',
86 'affirm.com',
87 'amazon.work',
88 'amazon.jobs',
89 'rocketmoney.com',
90 'registrar.amazon',
91 'amazonworkspaces.com'
92 )
93
94 // negate amazon.com.be explicitly, this cannot be part of the root_domain set above as it uses the PSL (Public suffix list) for parsing and com.be is owned by amazon directly.
95 and sender.email.domain.domain not in~ ('amazon.com.be', )
96 and sender.email.email not in $recipient_emails
97 and sender.email.domain.domain not in $org_domains
98
99 // negate highly trusted sender domains unless they fail DMARC authentication
100 and (
101 (
102 sender.email.domain.root_domain in $high_trust_sender_root_domains
103 and not headers.auth_summary.dmarc.pass
104 )
105 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
106 )
107
108attack_types:
109 - "Credential Phishing"
110tactics_and_techniques:
111 - "Impersonation: Brand"
112 - "Social engineering"
113detection_methods:
114 - "Header analysis"
115 - "Sender analysis"
116id: "13fc967d-4cc6-501d-9637-8c0761a1a354"