← Back to Explore
sublimemediumRule
Brand impersonation: Amazon with suspicious attachment
Impersonation of Amazon. These are most commonly fake shipping notifications. Amazon is the #2 most-impersonated brand (as of Q2 2020)
Detection Query
type.inbound
and (
strings.ilike(sender.display_name, "amazon*")
or any(attachments, strings.icontains(.file_name, "amazon"))
or any(attachments,
(.file_type in $file_types_images or .file_type == "pdf")
and any(file.explode(.), strings.icontains(.scan.ocr.raw, "amazon"))
)
)
and any(attachments,
(.file_type in $file_types_images or .file_type == "pdf")
and any(ml.logo_detect(.).brands,
.name == "Amazon" and .confidence in~ ("medium", "high")
)
and (
any(file.explode(.),
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name != "benign" and .confidence == "high"
)
)
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name != "benign" and .confidence == "high"
)
)
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and sender.email.domain.root_domain not in~ (
'a2z.com',
'amazon.com',
'amazon.com.au',
'amazon.co.uk',
'amazon.de',
'amazon.es',
'amazon.fr',
'amazon.it',
'amazon.in',
'amazon.lu',
'amazon.com.au',
'amazonsellerservices.com',
'amazon.ae',
'amazon.sa',
'amazon.cn',
'amazon.ca',
'amazon.com.mx',
'amazon.com.br',
'amazon.ph',
'amazon.sg',
'amazon.com.tr',
'amazonpay.in',
'amazonpay.com',
'synchronybank.com',
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
References
Raw Content
name: "Brand impersonation: Amazon with suspicious attachment"
description: |
Impersonation of Amazon. These are most commonly fake shipping notifications.
Amazon is the #2 most-impersonated brand (as of Q2 2020)
references:
- "https://www.pcmag.com/news/google-and-amazon-are-impersonated-the-most-in-phishing-scams"
- "https://sellercentral.amazon.com/gp/help/external/32261?language=en-US"
type: "rule"
severity: "medium"
source: |
type.inbound
and (
strings.ilike(sender.display_name, "amazon*")
or any(attachments, strings.icontains(.file_name, "amazon"))
or any(attachments,
(.file_type in $file_types_images or .file_type == "pdf")
and any(file.explode(.), strings.icontains(.scan.ocr.raw, "amazon"))
)
)
and any(attachments,
(.file_type in $file_types_images or .file_type == "pdf")
and any(ml.logo_detect(.).brands,
.name == "Amazon" and .confidence in~ ("medium", "high")
)
and (
any(file.explode(.),
any(ml.nlu_classifier(.scan.ocr.raw).intents,
.name != "benign" and .confidence == "high"
)
)
or any(ml.nlu_classifier(body.current_thread.text).intents,
.name != "benign" and .confidence == "high"
)
)
)
and (
not profile.by_sender().solicited
or (
profile.by_sender().any_messages_malicious_or_spam
and not profile.by_sender().any_messages_benign
)
)
and sender.email.domain.root_domain not in~ (
'a2z.com',
'amazon.com',
'amazon.com.au',
'amazon.co.uk',
'amazon.de',
'amazon.es',
'amazon.fr',
'amazon.it',
'amazon.in',
'amazon.lu',
'amazon.com.au',
'amazonsellerservices.com',
'amazon.ae',
'amazon.sa',
'amazon.cn',
'amazon.ca',
'amazon.com.mx',
'amazon.com.br',
'amazon.ph',
'amazon.sg',
'amazon.com.tr',
'amazonpay.in',
'amazonpay.com',
'synchronybank.com',
)
attack_types:
- "Credential Phishing"
tactics_and_techniques:
- "Impersonation: Brand"
- "Social engineering"
detection_methods:
- "Computer Vision"
- "File analysis"
- "Header analysis"
- "Natural Language Understanding"
- "Optical Character Recognition"
- "Sender analysis"
id: "5751dcb9-071d-540b-9ec3-410d6aa80c11"