Brand impersonation: Amazon

name: "Brand impersonation: Amazon"
description: |
  Impersonation of Amazon. These are most commonly fake shipping notifications.
  Amazon is the #2 most-impersonated brand (as of Q2 2020)
references:
  - "https://www.pcmag.com/news/google-and-amazon-are-impersonated-the-most-in-phishing-scams"
  - "https://sellercentral.amazon.com/gp/help/external/32261?language=en-US"
type: "rule"
severity: "low"
source: |
  type.inbound
  and not any(headers.hops,
              any(.fields,
                  .name == 'X-Amazon-Mail-Relay-Type' and .value == "notification"
              )
  )
  and (
    regex.icontains(sender.display_name,
                    '\b[aaa𝝰aａ𝑎𝗮𝕒𝖆𝓪𝚊𝞪аɑα𝔞𝒂𝘢𝛂⍺𝒶𝙖𝜶𝛼𝐚𝖺]maz[o0]n\s?(pay|marketplace|\.com)|ᵃ⤻ᶻ'
    )
    or strings.ilevenshtein(sender.display_name, 'amazon.com') <= 1
    or strings.ilevenshtein(sender.display_name, 'amazon pay') <= 1
    or strings.ilevenshtein(sender.display_name, 'amazon marketplace') <= 1
    or strings.ilevenshtein(sender.display_name, 'amazon customer support') <= 1
    or regex.icontains(sender.display_name,
                       "prime (subscription|notification|support)"
    )
    or strings.ilike(subject.subject, "*prime membership*")
    or (
      strings.ilevenshtein(sender.display_name, 'amazon') <= 1
      and sender.email.domain.root_domain in $free_email_providers
    )
    or (
      any(ml.nlu_classifier(body.current_thread.text).intents,
          .name == "cred_theft" and .confidence == "high"
      )
      and any(beta.ml_topic(body.current_thread.text).topics,
              .name in (
                "Security and Authentication",
                "Secure Message",
                "Reminders and Notifications",
                "Order Confirmations",
                "Customer Service and Support"
              )
      )
      and strings.icontains(body.current_thread.text, "amazon")
    )
  )
  // negate listservs
  and not (
    any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
    and strings.contains(sender.display_name, "via")
  )
  and sender.email.domain.root_domain not in~ (
    'amazon.com',
    'amazon.com.au',
    'amazon.de',
    'amazon.es',
    'amazon.fr',
    'amazon.it',
    'amazon.in',
    'amazon.lu',
    'amazon.nl',
    'amazonsellerservices.com',
    'amazon.ae',
    'amazon.sa',
    'amazon.com.sg',
    'amazon.co.uk',
    'amazon.co.jp',
    'amazon.com.mx',
    'amazon.com.br',
    'amazon.com.tr',
    'amazon.cn',
    'amazon.ca',
    'amazon.sg',
    'amazonaws.cn',
    'amazonpay.in',
    'amazonpay.com',
    'q4inc.com',
    'synchronybank.com',
    'opodo.com',
    'flynas.com',
    'amazonmusic.com',
    'blink.com',
    'affirm.com',
    'amazon.work',
    'amazon.jobs',
    'rocketmoney.com',
    'registrar.amazon',
    'amazonworkspaces.com',
    'awsapps.com',
    'aws.com',
    'awsevents.com',
    'amazon.se',
    'amazon.ie',
    'amazonconnect.com',
    'aws-experience.com',
    'proofpointessentials.com',
    'area1security.com'
  )
  
  // negate amazon.com.be explicitly, this cannot be part of the root_domain set above as it uses the PSL (Public suffix list) for parsing and com.be is owned by amazon directly.
  and sender.email.domain.domain not in~ ('amazon.com.be')
  and sender.email.email not in $recipient_emails
  and sender.email.domain.domain not in $org_domains
  
  // negate highly trusted sender domains unless they fail DMARC authentication
  and (
    (
      sender.email.domain.root_domain in $high_trust_sender_root_domains
      and not headers.auth_summary.dmarc.pass
    )
    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
  )

attack_types:
  - "Credential Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Social engineering"
detection_methods:
  - "Header analysis"
  - "Sender analysis"
id: "13fc967d-4cc6-501d-9637-8c0761a1a354"