Brand impersonation: Amazon

Jul 3, 2024 ·
Impersonation of Amazon. These are most commonly fake shipping notifications. Amazon is the #2 most-impersonated brand (as of Q2 2020)
Sublime rule (View on GitHub)

 1name: "Brand impersonation: Amazon"
 2description: |
 3  Impersonation of Amazon. These are most commonly fake shipping notifications.
 4  Amazon is the #2 most-impersonated brand (as of Q2 2020)  
 5references:
 6  - "https://www.pcmag.com/news/google-and-amazon-are-impersonated-the-most-in-phishing-scams"
 7  - "https://sellercentral.amazon.com/gp/help/external/32261?language=en-US"
 8type: "rule"
 9severity: "low"
10source: |
11  type.inbound
12  and not any(headers.hops,
13              any(.fields, .name == 'X-Amazon-Mail-Relay-Type' and .value == "notification")
14  )
15  and (
16    regex.icontains(sender.display_name,
17                    '\b[aaa𝝰aａ𝑎𝗮𝕒𝖆𝓪𝚊𝞪аɑα𝔞𝒂𝘢𝛂⍺𝒶𝙖𝜶𝛼𝐚𝖺]maz[o0]n\s?(pay|marketplace|\.com)|ᵃ⤻ᶻ'
18    )
19    or strings.ilevenshtein(sender.display_name, 'amazon.com') <= 1
20    or strings.ilevenshtein(sender.display_name, 'amazon pay') <= 1
21    or strings.ilevenshtein(sender.display_name, 'amazon marketplace') <= 1
22    or strings.ilevenshtein(sender.display_name, 'amazon customer support') <= 1
23    or strings.ilevenshtein(sender.display_name, 'prime notification') <= 1
24    or strings.ilevenshtein(sender.display_name, 'prime support') <= 1
25    or strings.ilike(subject.subject, "*prime membership*")
26    or (
27      strings.ilevenshtein(sender.display_name, 'amazon') <= 1
28      and sender.email.domain.root_domain in $free_email_providers
29    )
30  )
31  // negate listservs
32  and not (
33      any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
34      and strings.contains(sender.display_name, "via")
35  )
36  and sender.email.domain.root_domain not in~ (
37    'amazon.com',
38    'amazon.com.au',
39    'amazon.com.be',
40    'amazon.com.sg',
41    'amazon.co.uk',
42    'amazon.co.jp',
43    'amazon.de',
44    'amazon.es',
45    'amazon.fr',
46    'amazon.it',
47    'amazon.in',
48    'amazon.lu',
49    'amazon.nl',
50    'amazon.com.au',
51    'amazonsellerservices.com',
52    'amazon.ae',
53    'amazon.sa',
54    'amazon.cn',
55    'amazon.ca',
56    'amazon.com.mx',
57    'amazon.com.br',
58    'amazon.sg',
59    'amazon.com.tr',
60    'amazonpay.in',
61    'amazonpay.com',
62    'q4inc.com',
63    'synchronybank.com',
64    'opodo.com'
65  )
66  and sender.email.email not in $recipient_emails
67  and sender.email.domain.domain not in $org_domains
68  
69  // negate highly trusted sender domains unless they fail DMARC authentication
70  and (
71    (
72      sender.email.domain.root_domain in $high_trust_sender_root_domains
73      and not headers.auth_summary.dmarc.pass
74    )
75    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
76  )  
77
78attack_types:
79  - "Credential Phishing"
80tactics_and_techniques:
81  - "Impersonation: Brand"
82  - "Social engineering"
83detection_methods:
84  - "Header analysis"
85  - "Sender analysis"
86id: "13fc967d-4cc6-501d-9637-8c0761a1a354"