Brand impersonation: Amazon

Apr 23, 2024 ·
Impersonation of Amazon. These are most commonly fake shipping notifications. Amazon is the #2 most-impersonated brand (as of Q2 2020)
Sublime rule (View on GitHub)

 1name: "Brand impersonation: Amazon"
 2description: |
 3  Impersonation of Amazon. These are most commonly fake shipping notifications.
 4  Amazon is the #2 most-impersonated brand (as of Q2 2020)  
 5references:
 6  - "https://www.pcmag.com/news/google-and-amazon-are-impersonated-the-most-in-phishing-scams"
 7  - "https://sellercentral.amazon.com/gp/help/external/32261?language=en-US"
 8type: "rule"
 9severity: "low"
10source: |
11  type.inbound
12  and not any(headers.hops,
13              any(.fields, .name == 'X-Amazon-Mail-Relay-Type' and .value == "notification")
14  )
15  and (
16    regex.icontains(sender.display_name,
17                    '\b[aaa𝝰aａ𝑎𝗮𝕒𝖆𝓪𝚊𝞪аɑα𝔞𝒂𝘢𝛂⍺𝒶𝙖𝜶𝛼𝐚𝖺]maz[o0]n\s?(pay|marketplace|\.com)|ᵃ⤻ᶻ'
18    )
19    or strings.ilevenshtein(sender.display_name, 'amazon.com') <= 1
20    or strings.ilevenshtein(sender.display_name, 'amazon pay') <= 1
21    or strings.ilevenshtein(sender.display_name, 'amazon marketplace') <= 1
22    or strings.ilevenshtein(sender.display_name, 'amazon customer support') <= 1
23    or (
24      strings.ilevenshtein(sender.display_name, 'amazon') <= 1
25      and sender.email.domain.root_domain in $free_email_providers
26    )
27  )
28  // negate listservs
29  and not (
30      any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
31      and strings.contains(sender.display_name, "via")
32  )
33  and sender.email.domain.root_domain not in~ (
34    'amazon.com',
35    'amazon.com.au',
36    'amazon.com.be',
37    'amazon.co.uk',
38    'amazon.co.jp',
39    'amazon.de',
40    'amazon.es',
41    'amazon.fr',
42    'amazon.it',
43    'amazon.in',
44    'amazon.lu',
45    'amazon.nl',
46    'amazon.com.au',
47    'amazonsellerservices.com',
48    'amazon.ae',
49    'amazon.sa',
50    'amazon.cn',
51    'amazon.ca',
52    'amazon.com.mx',
53    'amazon.com.br',
54    'amazon.sg',
55    'amazon.com.tr',
56    'amazonpay.in',
57    'amazonpay.com',
58    'q4inc.com',
59    'synchronybank.com',
60  )
61  and sender.email.email not in $recipient_emails
62  and sender.email.domain.domain not in $org_domains
63
64  // negate highly trusted sender domains unless they fail DMARC authentication
65  and (
66    (
67      sender.email.domain.root_domain in $high_trust_sender_root_domains
68      and not headers.auth_summary.dmarc.pass
69    )
70    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
71  )  
72
73attack_types:
74  - "Credential Phishing"
75tactics_and_techniques:
76  - "Impersonation: Brand"
77  - "Social engineering"
78detection_methods:
79  - "Header analysis"
80  - "Sender analysis"
81id: "13fc967d-4cc6-501d-9637-8c0761a1a354"