Brand impersonation: Amazon
Impersonation of Amazon. These are most commonly fake shipping notifications. Amazon is the #2 most-impersonated brand (as of Q2 2020)
Sublime rule (View on GitHub)
1name: "Brand impersonation: Amazon"
2description: |
3 Impersonation of Amazon. These are most commonly fake shipping notifications.
4 Amazon is the #2 most-impersonated brand (as of Q2 2020)
5references:
6 - "https://www.pcmag.com/news/google-and-amazon-are-impersonated-the-most-in-phishing-scams"
7 - "https://sellercentral.amazon.com/gp/help/external/32261?language=en-US"
8type: "rule"
9severity: "low"
10source: |
11 type.inbound
12 and not any(headers.hops,
13 any(.fields, .name == 'X-Amazon-Mail-Relay-Type' and .value == "notification")
14 )
15 and (
16 regex.icontains(sender.display_name,
17 '\b[aaa๐ฐa๏ฝ๐๐ฎ๐๐๐ช๐๐ชะฐษฮฑ๐๐๐ข๐โบ๐ถ๐๐ถ๐ผ๐๐บ]maz[o0]n\s?(pay|marketplace|\.com)|แตโคปแถป'
18 )
19 or strings.ilevenshtein(sender.display_name, 'amazon.com') <= 1
20 or strings.ilevenshtein(sender.display_name, 'amazon pay') <= 1
21 or strings.ilevenshtein(sender.display_name, 'amazon marketplace') <= 1
22 or strings.ilevenshtein(sender.display_name, 'amazon customer support') <= 1
23 or (
24 strings.ilevenshtein(sender.display_name, 'amazon') <= 1
25 and sender.email.domain.root_domain in $free_email_providers
26 )
27 )
28 // negate listservs
29 and not (
30 any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
31 and strings.contains(sender.display_name, "via")
32 )
33 and sender.email.domain.root_domain not in~ (
34 'amazon.com',
35 'amazon.com.au',
36 'amazon.com.be',
37 'amazon.co.uk',
38 'amazon.co.jp',
39 'amazon.de',
40 'amazon.es',
41 'amazon.fr',
42 'amazon.it',
43 'amazon.in',
44 'amazon.lu',
45 'amazon.nl',
46 'amazon.com.au',
47 'amazonsellerservices.com',
48 'amazon.ae',
49 'amazon.sa',
50 'amazon.cn',
51 'amazon.ca',
52 'amazon.com.mx',
53 'amazon.com.br',
54 'amazon.sg',
55 'amazon.com.tr',
56 'amazonpay.in',
57 'amazonpay.com',
58 'q4inc.com',
59 'synchronybank.com',
60 )
61 and sender.email.email not in $recipient_emails
62 and sender.email.domain.domain not in $org_domains
63
64 // negate highly trusted sender domains unless they fail DMARC authentication
65 and (
66 (
67 sender.email.domain.root_domain in $high_trust_sender_root_domains
68 and not headers.auth_summary.dmarc.pass
69 )
70 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
71 )
72
73attack_types:
74 - "Credential Phishing"
75tactics_and_techniques:
76 - "Impersonation: Brand"
77 - "Social engineering"
78detection_methods:
79 - "Header analysis"
80 - "Sender analysis"
81id: "13fc967d-4cc6-501d-9637-8c0761a1a354"