Brand impersonation: Amazon

Jan 7, 2025 ·
Impersonation of Amazon. These are most commonly fake shipping notifications. Amazon is the #2 most-impersonated brand (as of Q2 2020)
Sublime rule (View on GitHub)

 1name: "Brand impersonation: Amazon"
 2description: |
 3  Impersonation of Amazon. These are most commonly fake shipping notifications.
 4  Amazon is the #2 most-impersonated brand (as of Q2 2020)  
 5references:
 6  - "https://www.pcmag.com/news/google-and-amazon-are-impersonated-the-most-in-phishing-scams"
 7  - "https://sellercentral.amazon.com/gp/help/external/32261?language=en-US"
 8type: "rule"
 9severity: "low"
10source: |
11  type.inbound
12  and not any(headers.hops,
13              any(.fields, .name == 'X-Amazon-Mail-Relay-Type' and .value == "notification")
14  )
15  and (
16    regex.icontains(sender.display_name,
17                    '\b[aaa𝝰aａ𝑎𝗮𝕒𝖆𝓪𝚊𝞪аɑα𝔞𝒂𝘢𝛂⍺𝒶𝙖𝜶𝛼𝐚𝖺]maz[o0]n\s?(pay|marketplace|\.com)|ᵃ⤻ᶻ'
18    )
19    or strings.ilevenshtein(sender.display_name, 'amazon.com') <= 1
20    or strings.ilevenshtein(sender.display_name, 'amazon pay') <= 1
21    or strings.ilevenshtein(sender.display_name, 'amazon marketplace') <= 1
22    or strings.ilevenshtein(sender.display_name, 'amazon customer support') <= 1
23    or strings.ilevenshtein(sender.display_name, 'prime notification') <= 1
24    or strings.ilevenshtein(sender.display_name, 'prime support') <= 1
25    or strings.ilike(subject.subject, "*prime membership*")
26    or (
27      strings.ilevenshtein(sender.display_name, 'amazon') <= 1
28      and sender.email.domain.root_domain in $free_email_providers
29    )
30  )
31  // negate listservs
32  and not (
33      any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
34      and strings.contains(sender.display_name, "via")
35  )
36  and sender.email.domain.root_domain not in~ (
37    'amazon.com',
38    'amazon.com.au',
39    'amazon.de',
40    'amazon.es',
41    'amazon.fr',
42    'amazon.it',
43    'amazon.in',
44    'amazon.lu',
45    'amazon.nl',
46    'amazonsellerservices.com',
47    'amazon.ae',
48    'amazon.sa',
49    'amazon.com.be',
50    'amazon.com.sg',
51    'amazon.co.uk',
52    'amazon.co.jp',
53    'amazon.com.mx',
54    'amazon.com.br',
55    'amazon.com.tr',
56    'amazon.cn',
57    'amazon.ca',
58    'amazon.sg',
59    'amazonpay.in',
60    'amazonpay.com',
61    'q4inc.com',
62    'synchronybank.com',
63    'opodo.com',
64    'flynas.com'
65  )
66  
67  // negate amazon.com.be explicitly, this cannot be part of the root_domain set above as it uses the PSL (Public suffix list) for parsing and com.be is owned by amazon directly.
68  and sender.email.domain.domain not in~ (
69    'amazon.com.be',
70  )
71  
72  and sender.email.email not in $recipient_emails
73  and sender.email.domain.domain not in $org_domains
74  
75  // negate highly trusted sender domains unless they fail DMARC authentication
76  and (
77    (
78      sender.email.domain.root_domain in $high_trust_sender_root_domains
79      and not headers.auth_summary.dmarc.pass
80    )
81    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
82  )  
83
84attack_types:
85  - "Credential Phishing"
86tactics_and_techniques:
87  - "Impersonation: Brand"
88  - "Social engineering"
89detection_methods:
90  - "Header analysis"
91  - "Sender analysis"
92id: "13fc967d-4cc6-501d-9637-8c0761a1a354"