Brand impersonation: Amazon with suspicious attachment

Impersonation of Amazon. These are most commonly fake shipping notifications. Amazon is the #2 most-impersonated brand (as of Q2 2020)

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Amazon with suspicious attachment"
 2description: |
 3  Impersonation of Amazon. These are most commonly fake shipping notifications.
 4  Amazon is the #2 most-impersonated brand (as of Q2 2020)  
 5references:
 6  - "https://www.pcmag.com/news/google-and-amazon-are-impersonated-the-most-in-phishing-scams"
 7  - "https://sellercentral.amazon.com/gp/help/external/32261?language=en-US"
 8type: "rule"
 9severity: "medium"
10source: |
11  type.inbound
12  and (
13      strings.ilike(sender.display_name, "amazon*")
14      or any(attachments, strings.icontains(.file_name, "amazon"))
15      or any(attachments,
16          (.file_type in $file_types_images or .file_type == "pdf")
17          and any(file.explode(.),
18              strings.icontains(.scan.ocr.raw, "amazon")
19          )
20      )
21  )
22  and any(attachments,
23          (.file_type in $file_types_images or .file_type == "pdf")
24          and any(ml.logo_detect(.).brands, .name == "Amazon" and .confidence in~ ("medium", "high"))
25          and (
26            any(file.explode(.),
27                any(ml.nlu_classifier(.scan.ocr.raw).intents,
28                    .name != "benign" and .confidence == "high"
29                )
30            )
31            or any(ml.nlu_classifier(coalesce(body.html.display_text, body.plain.raw)).intents,
32                   .name != "benign" and .confidence == "high"
33            )
34          )
35  )
36  and (
37    not profile.by_sender().solicited
38    or (
39      profile.by_sender().any_messages_malicious_or_spam
40      and not profile.by_sender().any_false_positives
41    )
42  )
43  and sender.email.domain.root_domain not in~ (
44    'a2z.com',
45    'amazon.com',
46    'amazon.com.au',
47    'amazon.co.uk',
48    'amazon.de',
49    'amazon.es',
50    'amazon.fr',
51    'amazon.it',
52    'amazon.in',
53    'amazon.lu',
54    'amazon.com.au',
55    'amazonsellerservices.com',
56    'amazon.ae',
57    'amazon.sa',
58    'amazon.cn',
59    'amazon.ca',
60    'amazon.com.mx',
61    'amazon.com.br',
62    'amazon.sg',
63    'amazon.com.tr',
64    'amazonpay.in',
65    'amazonpay.com',
66    'synchronybank.com',
67  )  
68attack_types:
69  - "Credential Phishing"
70tactics_and_techniques:
71  - "Impersonation: Brand"
72  - "Social engineering"
73detection_methods:
74  - "Computer Vision"
75  - "File analysis"
76  - "Header analysis"
77  - "Natural Language Understanding"
78  - "Optical Character Recognition"
79  - "Sender analysis"
80id: "5751dcb9-071d-540b-9ec3-410d6aa80c11"
to-top