Brand impersonation: Amazon

 1name: "Brand impersonation: Amazon"
 2description: |
 3  Impersonation of Amazon. These are most commonly fake shipping notifications.
 4  Amazon is the #2 most-impersonated brand (as of Q2 2020)  
 5references:
 6  - "https://www.pcmag.com/news/google-and-amazon-are-impersonated-the-most-in-phishing-scams"
 7  - "https://sellercentral.amazon.com/gp/help/external/32261?language=en-US"
 8type: "rule"
 9severity: "low"
10source: |
11  type.inbound
12  and not any(headers.hops,
13              any(.fields, .name == 'X-Amazon-Mail-Relay-Type' and .value == "notification")
14  )
15  and (
16    regex.icontains(sender.display_name,
17                    '\b[aaa𝝰aａ𝑎𝗮𝕒𝖆𝓪𝚊𝞪аɑα𝔞𝒂𝘢𝛂⍺𝒶𝙖𝜶𝛼𝐚𝖺]maz[o0]n\s?(pay|marketplace|\.com)|ᵃ⤻ᶻ'
18    )
19    or strings.ilevenshtein(sender.display_name, 'amazon.com') <= 1
20    or strings.ilevenshtein(sender.display_name, 'amazon pay') <= 1
21    or strings.ilevenshtein(sender.display_name, 'amazon marketplace') <= 1
22    or strings.ilevenshtein(sender.display_name, 'amazon customer support') <= 1
23    or regex.icontains(sender.display_name, "prime (subscription|notification|support)")
24    or strings.ilike(subject.subject, "*prime membership*")
25    or (
26      strings.ilevenshtein(sender.display_name, 'amazon') <= 1
27      and sender.email.domain.root_domain in $free_email_providers
28    )
29  )
30  // negate listservs
31  and not (
32      any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
33      and strings.contains(sender.display_name, "via")
34  )
35  and sender.email.domain.root_domain not in~ (
36    'amazon.com',
37    'amazon.com.au',
38    'amazon.de',
39    'amazon.es',
40    'amazon.fr',
41    'amazon.it',
42    'amazon.in',
43    'amazon.lu',
44    'amazon.nl',
45    'amazonsellerservices.com',
46    'amazon.ae',
47    'amazon.sa',
48    'amazon.com.be',
49    'amazon.com.sg',
50    'amazon.co.uk',
51    'amazon.co.jp',
52    'amazon.com.mx',
53    'amazon.com.br',
54    'amazon.com.tr',
55    'amazon.cn',
56    'amazon.ca',
57    'amazon.sg',
58    'amazonpay.in',
59    'amazonpay.com',
60    'q4inc.com',
61    'synchronybank.com',
62    'opodo.com',
63    'flynas.com',
64    'amazonmusic.com'
65  )
66  
67  // negate amazon.com.be explicitly, this cannot be part of the root_domain set above as it uses the PSL (Public suffix list) for parsing and com.be is owned by amazon directly.
68  and sender.email.domain.domain not in~ (
69    'amazon.com.be',
70  )
71  
72  and sender.email.email not in $recipient_emails
73  and sender.email.domain.domain not in $org_domains
74  
75  // negate highly trusted sender domains unless they fail DMARC authentication
76  and (
77    (
78      sender.email.domain.root_domain in $high_trust_sender_root_domains
79      and not headers.auth_summary.dmarc.pass
80    )
81    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
82  )  
83
84attack_types:
85  - "Credential Phishing"
86tactics_and_techniques:
87  - "Impersonation: Brand"
88  - "Social engineering"
89detection_methods:
90  - "Header analysis"
91  - "Sender analysis"
92id: "13fc967d-4cc6-501d-9637-8c0761a1a354"