Brand impersonation: Amazon

Impersonation of Amazon. These are most commonly fake shipping notifications. Amazon is the #2 most-impersonated brand (as of Q2 2020)

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Amazon"
  2description: |
  3  Impersonation of Amazon. These are most commonly fake shipping notifications.
  4  Amazon is the #2 most-impersonated brand (as of Q2 2020)  
  5references:
  6  - "https://www.pcmag.com/news/google-and-amazon-are-impersonated-the-most-in-phishing-scams"
  7  - "https://sellercentral.amazon.com/gp/help/external/32261?language=en-US"
  8type: "rule"
  9severity: "low"
 10source: |
 11  type.inbound
 12  and not any(headers.hops,
 13              any(.fields,
 14                  .name == 'X-Amazon-Mail-Relay-Type' and .value == "notification"
 15              )
 16  )
 17  and (
 18    regex.icontains(sender.display_name,
 19                    '\b[aaa๐ฐa๏ฝ๐‘Ž๐—ฎ๐•’๐–†๐“ช๐šŠ๐žชะฐษ‘ฮฑ๐”ž๐’‚๐˜ข๐›‚โบ๐’ถ๐™–๐œถ๐›ผ๐š๐–บ]maz[o0]n\s?(pay|marketplace|\.com)|แตƒโคปแถป'
 20    )
 21    or strings.ilevenshtein(sender.display_name, 'amazon.com') <= 1
 22    or strings.ilevenshtein(sender.display_name, 'amazon pay') <= 1
 23    or strings.ilevenshtein(sender.display_name, 'amazon marketplace') <= 1
 24    or strings.ilevenshtein(sender.display_name, 'amazon customer support') <= 1
 25    or regex.icontains(sender.display_name,
 26                       "prime (subscription|notification|support)"
 27    )
 28    or strings.ilike(subject.subject, "*prime membership*")
 29    or (
 30      strings.ilevenshtein(sender.display_name, 'amazon') <= 1
 31      and sender.email.domain.root_domain in $free_email_providers
 32    )
 33    or (
 34      any(ml.nlu_classifier(body.current_thread.text).intents,
 35          .name == "cred_theft" and .confidence == "high"
 36      )
 37      and any(beta.ml_topic(body.current_thread.text).topics,
 38              .name in (
 39                "Security and Authentication",
 40                "Secure Message",
 41                "Reminders and Notifications",
 42                "Order Confirmations",
 43                "Customer Service and Support"
 44              )
 45      )
 46      and strings.icontains(body.current_thread.text, "amazon")
 47    )
 48  )
 49  // negate listservs
 50  and not (
 51    any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
 52    and strings.contains(sender.display_name, "via")
 53  )
 54  and sender.email.domain.root_domain not in~ (
 55    'amazon.com',
 56    'amazon.com.au',
 57    'amazon.de',
 58    'amazon.es',
 59    'amazon.fr',
 60    'amazon.it',
 61    'amazon.in',
 62    'amazon.lu',
 63    'amazon.nl',
 64    'amazonsellerservices.com',
 65    'amazon.ae',
 66    'amazon.sa',
 67    'amazon.com.be',
 68    'amazon.com.sg',
 69    'amazon.co.uk',
 70    'amazon.co.jp',
 71    'amazon.com.mx',
 72    'amazon.com.br',
 73    'amazon.com.tr',
 74    'amazon.cn',
 75    'amazon.ca',
 76    'amazon.sg',
 77    'amazonpay.in',
 78    'amazonpay.com',
 79    'q4inc.com',
 80    'synchronybank.com',
 81    'opodo.com',
 82    'flynas.com',
 83    'amazonmusic.com',
 84    'blink.com',
 85    'affirm.com',
 86    'amazon.work',
 87    'amazon.jobs',
 88    'rocketmoney.com'
 89  )
 90  
 91  // negate amazon.com.be explicitly, this cannot be part of the root_domain set above as it uses the PSL (Public suffix list) for parsing and com.be is owned by amazon directly.
 92  and sender.email.domain.domain not in~ ('amazon.com.be', )
 93  and sender.email.email not in $recipient_emails
 94  and sender.email.domain.domain not in $org_domains
 95  
 96  // negate highly trusted sender domains unless they fail DMARC authentication
 97  and (
 98    (
 99      sender.email.domain.root_domain in $high_trust_sender_root_domains
100      and not headers.auth_summary.dmarc.pass
101    )
102    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
103  )  
104
105attack_types:
106  - "Credential Phishing"
107tactics_and_techniques:
108  - "Impersonation: Brand"
109  - "Social engineering"
110detection_methods:
111  - "Header analysis"
112  - "Sender analysis"
113id: "13fc967d-4cc6-501d-9637-8c0761a1a354"
to-top