Service abuse: AWS SNS callback scam impersonation

calendar Mar 26, 2026  ·
Share on: linkedin copy

Detects callback scam messages sent through Amazon Web Services Simple Notification Service (SNS) that impersonate well-known brands like McAfee, Norton, PayPal, and others. The rule identifies fraudulent purchase receipts or service notifications containing phone numbers to solicit victim callbacks, potentially leading to financial theft or malware installation.

Sublime rule (View on GitHub)

 1name: "Service abuse: AWS SNS callback scam impersonation"
 2description: "Detects callback scam messages sent through Amazon Web Services Simple Notification Service (SNS) that impersonate well-known brands like McAfee, Norton, PayPal, and others. The rule identifies fraudulent purchase receipts or service notifications containing phone numbers to solicit victim callbacks, potentially leading to financial theft or malware installation."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and sender.email.email == "no-reply@sns.amazonaws.com"
 8  and not coalesce(strings.icontains(headers.return_path.local_part,
 9                                     'aws-ses-bounces'
10                   ),
11                   false
12  )
13  and (
14    any(ml.nlu_classifier(body.current_thread.text).intents,
15        .name == "callback_scam" and .confidence != "low"
16    )
17    or (
18      regex.icontains(body.current_thread.text,
19                      (
20                        "mcafee|n[o0]rt[o0]n|geek.{0,5}squad|paypal|ebay|symantec|best buy|lifel[o0]ck"
21                      )
22      )
23      and (
24        3 of (
25          strings.ilike(body.current_thread.text, '*purchase*'),
26          strings.ilike(body.current_thread.text, '*payment*'),
27          strings.ilike(body.current_thread.text, '*transaction*'),
28          strings.ilike(body.current_thread.text, '*subscription*'),
29          strings.ilike(body.current_thread.text, '*antivirus*'),
30          strings.ilike(body.current_thread.text, '*order*'),
31          strings.ilike(body.current_thread.text, '*support*'),
32          strings.ilike(body.current_thread.text, '*receipt*'),
33          strings.ilike(body.current_thread.text, '*invoice*'),
34          strings.ilike(body.current_thread.text, '*call*'),
35          strings.ilike(body.current_thread.text, '*cancel*'),
36          strings.ilike(body.current_thread.text, '*renew*'),
37          strings.ilike(body.current_thread.text, '*refund*'),
38          strings.ilike(body.current_thread.text, '*host key*')
39        )
40      )
41      // phone number regex
42      and any([body.current_thread.text, subject.subject],
43              regex.icontains(.,
44                              '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
45                              '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
46              )
47      )
48    )
49  )  
50
51attack_types:
52  - "Callback Phishing"
53tactics_and_techniques:
54  - "Impersonation: Brand"
55  - "Out of band pivot"
56  - "Social engineering"
57detection_methods:
58  - "Content analysis"
59  - "Natural Language Understanding"
60  - "Sender analysis"
61id: "ca6ff69e-f80c-534c-92b9-1949e473dfb2"
to-top