Brand impersonation: Amazon

Oct 27, 2023 ·
Impersonation of Amazon. These are most commonly fake shipping notifications. Amazon is the #2 most-impersonated brand (as of Q2 2020)
Sublime rule (View on GitHub)

 1name: "Brand impersonation: Amazon"
 2description: |
 3  Impersonation of Amazon. These are most commonly fake shipping notifications.
 4  Amazon is the #2 most-impersonated brand (as of Q2 2020)  
 5references:
 6  - "https://www.pcmag.com/news/google-and-amazon-are-impersonated-the-most-in-phishing-scams"
 7  - "https://sellercentral.amazon.com/gp/help/external/32261?language=en-US"
 8type: "rule"
 9severity: "low"
10source: |
11  type.inbound
12  and not any(headers.hops,
13              any(.fields, .name == 'X-Amazon-Mail-Relay-Type' and .value == "notification")
14  )
15  and (
16    regex.icontains(sender.display_name,
17                    '\b[aaa𝝰aａ𝑎𝗮𝕒𝖆𝓪𝚊𝞪аɑα𝔞𝒂𝘢𝛂⍺𝒶𝙖𝜶𝛼𝐚𝖺]maz[o0]n\s?(pay|marketplace|\.com)|ᵃ⤻ᶻ'
18    )
19    or strings.ilevenshtein(sender.display_name, 'amazon.com') <= 1
20    or strings.ilevenshtein(sender.display_name, 'amazon pay') <= 1
21    or strings.ilevenshtein(sender.display_name, 'amazon marketplace') <= 1
22    or strings.ilevenshtein(sender.display_name, 'amazon customer support') <= 1
23    or (
24      strings.ilevenshtein(sender.display_name, 'amazon') <= 1
25      and sender.email.domain.root_domain in $free_email_providers
26    )
27  )
28  // negate listservs
29  and not (
30      any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
31      and strings.contains(sender.display_name, "via")
32  )
33  and sender.email.domain.root_domain not in~ (
34    'amazon.com',
35    'amazon.com.au',
36    'amazon.com.be',
37    'amazon.co.uk',
38    'amazon.de',
39    'amazon.es',
40    'amazon.fr',
41    'amazon.it',
42    'amazon.in',
43    'amazon.lu',
44    'amazon.com.au',
45    'amazonsellerservices.com',
46    'amazon.ae',
47    'amazon.sa',
48    'amazon.cn',
49    'amazon.ca',
50    'amazon.com.mx',
51    'amazon.com.br',
52    'amazon.sg',
53    'amazon.com.tr',
54    'amazonpay.in',
55    'amazonpay.com',
56    'q4inc.com',
57    'synchronybank.com',
58  )
59  and sender.email.email not in $recipient_emails
60  and sender.email.domain.domain not in $org_domains
61
62  // negate highly trusted sender domains unless they fail DMARC authentication
63  and
64  (
65    (
66      sender.email.domain.root_domain in $high_trust_sender_root_domains
67      and (
68        any(distinct(headers.hops, .authentication_results.dmarc is not null),
69            strings.ilike(.authentication_results.dmarc, "*fail")
70        )
71      )
72    )
73    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
74  )  
75
76attack_types:
77  - "Credential Phishing"
78tactics_and_techniques:
79  - "Impersonation: Brand"
80  - "Social engineering"
81detection_methods:
82  - "Header analysis"
83  - "Sender analysis"
84id: "13fc967d-4cc6-501d-9637-8c0761a1a354"