Brand impersonation: Amazon

Impersonation of Amazon. These are most commonly fake shipping notifications. Amazon is the #2 most-impersonated brand (as of Q2 2020)

Sublime rule (View on GitHub)

  1name: "Brand impersonation: Amazon"
  2description: |
  3  Impersonation of Amazon. These are most commonly fake shipping notifications.
  4  Amazon is the #2 most-impersonated brand (as of Q2 2020)  
  5references:
  6  - "https://www.pcmag.com/news/google-and-amazon-are-impersonated-the-most-in-phishing-scams"
  7  - "https://sellercentral.amazon.com/gp/help/external/32261?language=en-US"
  8type: "rule"
  9severity: "low"
 10source: |
 11  type.inbound
 12  and not any(headers.hops,
 13              any(.fields,
 14                  .name == 'X-Amazon-Mail-Relay-Type' and .value == "notification"
 15              )
 16  )
 17  and (
 18    regex.icontains(sender.display_name,
 19                    '\b[aaa๐ฐa๏ฝ๐‘Ž๐—ฎ๐•’๐–†๐“ช๐šŠ๐žชะฐษ‘ฮฑ๐”ž๐’‚๐˜ข๐›‚โบ๐’ถ๐™–๐œถ๐›ผ๐š๐–บ]maz[o0]n\s?(pay|marketplace|\.com)|แตƒโคปแถป'
 20    )
 21    or strings.ilevenshtein(sender.display_name, 'amazon.com') <= 1
 22    or strings.ilevenshtein(sender.display_name, 'amazon pay') <= 1
 23    or strings.ilevenshtein(sender.display_name, 'amazon marketplace') <= 1
 24    or strings.ilevenshtein(sender.display_name, 'amazon customer support') <= 1
 25    or regex.icontains(sender.display_name,
 26                       "prime (?:subscription|notification|support)"
 27    )
 28    or regex.imatch(sender.display_name, '^(?:amazon\s)?prime (?:deals?|store)$')
 29    or strings.ilike(subject.subject, "*prime membership*")
 30    or (
 31      strings.ilevenshtein(sender.display_name, 'amazon') <= 1
 32      and sender.email.domain.root_domain in $free_email_providers
 33    )
 34    or (
 35      any(ml.nlu_classifier(body.current_thread.text).intents,
 36          .name == "cred_theft" and .confidence == "high"
 37      )
 38      and any(ml.nlu_classifier(body.current_thread.text).topics,
 39              .name in (
 40                "Security and Authentication",
 41                "Secure Message",
 42                "Reminders and Notifications",
 43                "Order Confirmations",
 44                "Customer Service and Support"
 45              )
 46      )
 47      and strings.icontains(body.current_thread.text, "amazon")
 48    )
 49  )
 50  // negate listservs
 51  and not (
 52    any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
 53    and strings.contains(sender.display_name, "via")
 54  )
 55  and sender.email.domain.root_domain not in~ (
 56    'amazon.com',
 57    'amazon.com.au',
 58    'amazon.de',
 59    'amazon.es',
 60    'amazon.fr',
 61    'amazon.it',
 62    'amazon.in',
 63    'amazon.lu',
 64    'amazon.nl',
 65    'amazonsellerservices.com',
 66    'amazon.ae',
 67    'amazon.sa',
 68    'amazon.com.sg',
 69    'amazon.co.uk',
 70    'amazon.co.jp',
 71    'amazon.com.mx',
 72    'amazon.com.br',
 73    'amazon.com.tr',
 74    'amazon.cn',
 75    'amazon.ca',
 76    'amazon.sg',
 77    'amazonaws.cn',
 78    'amazonpay.in',
 79    'amazonpay.com',
 80    'q4inc.com',
 81    'synchronybank.com',
 82    'opodo.com',
 83    'flynas.com',
 84    'amazonmusic.com',
 85    'blink.com',
 86    'affirm.com',
 87    'amazon.work',
 88    'amazon.jobs',
 89    'rocketmoney.com',
 90    'registrar.amazon',
 91    'amazonworkspaces.com',
 92    'awsapps.com',
 93    'aws.com',
 94    'awsevents.com',
 95    'amazon.se',
 96    'amazon.ie',
 97    'amazonconnect.com',
 98    'aws-experience.com',
 99    'proofpointessentials.com',
100    'area1security.com',
101    'marketplace.aws',
102    'quicksight.aws'
103  )
104  
105  // negate amazon.com.be explicitly, this cannot be part of the root_domain set above as it uses the PSL (Public suffix list) for parsing and com.be is owned by amazon directly.
106  and sender.email.domain.domain not in~ ('amazon.com.be')
107  and sender.email.email not in $recipient_emails
108  and sender.email.domain.domain not in $org_domains
109  
110  // negate highly trusted sender domains unless they fail DMARC authentication
111  and (
112    (
113      sender.email.domain.root_domain in $high_trust_sender_root_domains
114      and not headers.auth_summary.dmarc.pass
115    )
116    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
117  )  
118
119attack_types:
120  - "Credential Phishing"
121tactics_and_techniques:
122  - "Impersonation: Brand"
123  - "Social engineering"
124detection_methods:
125  - "Header analysis"
126  - "Sender analysis"
127id: "13fc967d-4cc6-501d-9637-8c0761a1a354"
to-top