Brand impersonation: Amazon
Impersonation of Amazon. These are most commonly fake shipping notifications. Amazon is the #2 most-impersonated brand (as of Q2 2020)
Sublime rule (View on GitHub)
1name: "Brand impersonation: Amazon"
2description: |
3 Impersonation of Amazon. These are most commonly fake shipping notifications.
4 Amazon is the #2 most-impersonated brand (as of Q2 2020)
5references:
6 - "https://www.pcmag.com/news/google-and-amazon-are-impersonated-the-most-in-phishing-scams"
7 - "https://sellercentral.amazon.com/gp/help/external/32261?language=en-US"
8type: "rule"
9severity: "low"
10source: |
11 type.inbound
12 and not any(headers.hops,
13 any(.fields, .name == 'X-Amazon-Mail-Relay-Type' and .value == "notification")
14 )
15 and (
16 regex.icontains(sender.display_name,
17 '\b[aaa๐ฐa๏ฝ๐๐ฎ๐๐๐ช๐๐ชะฐษฮฑ๐๐๐ข๐โบ๐ถ๐๐ถ๐ผ๐๐บ]maz[o0]n\s?(pay|marketplace|\.com)|แตโคปแถป'
18 )
19 or strings.ilevenshtein(sender.display_name, 'amazon.com') <= 1
20 or strings.ilevenshtein(sender.display_name, 'amazon pay') <= 1
21 or strings.ilevenshtein(sender.display_name, 'amazon marketplace') <= 1
22 or strings.ilevenshtein(sender.display_name, 'amazon customer support') <= 1
23 or (
24 strings.ilevenshtein(sender.display_name, 'amazon') <= 1
25 and sender.email.domain.root_domain in $free_email_providers
26 )
27 )
28 // negate listservs
29 and not (
30 any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
31 and strings.contains(sender.display_name, "via")
32 )
33 and sender.email.domain.root_domain not in~ (
34 'amazon.com',
35 'amazon.com.au',
36 'amazon.com.be',
37 'amazon.co.uk',
38 'amazon.de',
39 'amazon.es',
40 'amazon.fr',
41 'amazon.it',
42 'amazon.in',
43 'amazon.lu',
44 'amazon.com.au',
45 'amazonsellerservices.com',
46 'amazon.ae',
47 'amazon.sa',
48 'amazon.cn',
49 'amazon.ca',
50 'amazon.com.mx',
51 'amazon.com.br',
52 'amazon.sg',
53 'amazon.com.tr',
54 'amazonpay.in',
55 'amazonpay.com',
56 'q4inc.com',
57 'synchronybank.com',
58 )
59 and sender.email.email not in $recipient_emails
60 and sender.email.domain.domain not in $org_domains
61
62 // negate highly trusted sender domains unless they fail DMARC authentication
63 and
64 (
65 (
66 sender.email.domain.root_domain in $high_trust_sender_root_domains
67 and (
68 any(distinct(headers.hops, .authentication_results.dmarc is not null),
69 strings.ilike(.authentication_results.dmarc, "*fail")
70 )
71 )
72 )
73 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
74 )
75
76attack_types:
77 - "Credential Phishing"
78tactics_and_techniques:
79 - "Impersonation: Brand"
80 - "Social engineering"
81detection_methods:
82 - "Header analysis"
83 - "Sender analysis"
84id: "13fc967d-4cc6-501d-9637-8c0761a1a354"