EXPLORE
Sign In
← Back to Explore
sublimemediumRule

Service abuse: AWS SNS callback scam impersonation

Detects callback scam messages sent through Amazon Web Services Simple Notification Service (SNS) that impersonate well-known brands like McAfee, Norton, PayPal, and others. The rule identifies fraudulent purchase receipts or service notifications containing phone numbers to solicit victim callbacks, potentially leading to financial theft or malware installation.

MITRE ATT&CK

T1566.003T1598T1566.002T1598.003T1566
initial-access

Detection Query

type.inbound
and sender.email.email == "no-reply@sns.amazonaws.com"
and not coalesce(strings.icontains(headers.return_path.local_part,
                                   'aws-ses-bounces'
                 ),
                 false
)
and (
  any(ml.nlu_classifier(body.current_thread.text).intents,
      .name == "callback_scam" and .confidence != "low"
  )
  or (
    regex.icontains(body.current_thread.text,
                    (
                      "mcafee|n[o0]rt[o0]n|geek.{0,5}squad|paypal|ebay|symantec|best buy|lifel[o0]ck"
                    )
    )
    and (
      3 of (
        strings.ilike(body.current_thread.text, '*purchase*'),
        strings.ilike(body.current_thread.text, '*payment*'),
        strings.ilike(body.current_thread.text, '*transaction*'),
        strings.ilike(body.current_thread.text, '*subscription*'),
        strings.ilike(body.current_thread.text, '*antivirus*'),
        strings.ilike(body.current_thread.text, '*order*'),
        strings.ilike(body.current_thread.text, '*support*'),
        strings.ilike(body.current_thread.text, '*receipt*'),
        strings.ilike(body.current_thread.text, '*invoice*'),
        strings.ilike(body.current_thread.text, '*call*'),
        strings.ilike(body.current_thread.text, '*cancel*'),
        strings.ilike(body.current_thread.text, '*renew*'),
        strings.ilike(body.current_thread.text, '*refund*'),
        strings.ilike(body.current_thread.text, '*host key*')
      )
    )
    // phone number regex
    and any([body.current_thread.text, subject.subject],
            regex.icontains(.,
                            '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
                            '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
            )
    )
  )
)

Data Sources

Email MessagesEmail HeadersEmail Attachments

Platforms

email
Raw Content
name: "Service abuse: AWS SNS callback scam impersonation"
description: "Detects callback scam messages sent through Amazon Web Services Simple Notification Service (SNS) that impersonate well-known brands like McAfee, Norton, PayPal, and others. The rule identifies fraudulent purchase receipts or service notifications containing phone numbers to solicit victim callbacks, potentially leading to financial theft or malware installation."
type: "rule"
severity: "medium"
source: |
  type.inbound
  and sender.email.email == "no-reply@sns.amazonaws.com"
  and not coalesce(strings.icontains(headers.return_path.local_part,
                                     'aws-ses-bounces'
                   ),
                   false
  )
  and (
    any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "callback_scam" and .confidence != "low"
    )
    or (
      regex.icontains(body.current_thread.text,
                      (
                        "mcafee|n[o0]rt[o0]n|geek.{0,5}squad|paypal|ebay|symantec|best buy|lifel[o0]ck"
                      )
      )
      and (
        3 of (
          strings.ilike(body.current_thread.text, '*purchase*'),
          strings.ilike(body.current_thread.text, '*payment*'),
          strings.ilike(body.current_thread.text, '*transaction*'),
          strings.ilike(body.current_thread.text, '*subscription*'),
          strings.ilike(body.current_thread.text, '*antivirus*'),
          strings.ilike(body.current_thread.text, '*order*'),
          strings.ilike(body.current_thread.text, '*support*'),
          strings.ilike(body.current_thread.text, '*receipt*'),
          strings.ilike(body.current_thread.text, '*invoice*'),
          strings.ilike(body.current_thread.text, '*call*'),
          strings.ilike(body.current_thread.text, '*cancel*'),
          strings.ilike(body.current_thread.text, '*renew*'),
          strings.ilike(body.current_thread.text, '*refund*'),
          strings.ilike(body.current_thread.text, '*host key*')
        )
      )
      // phone number regex
      and any([body.current_thread.text, subject.subject],
              regex.icontains(.,
                              '\+?([ilo0-9]{1}.)?\(?[ilo0-9]{3}?\)?.[ilo0-9]{3}.?[ilo0-9]{4}',
                              '\+?([ilo0-9]{1,2})?\s?\(?\d{3}\)?[\s\.\-⋅]{0,5}[ilo0-9]{3}[\s\.\-⋅]{0,5}[ilo0-9]{4}'
              )
      )
    )
  )

attack_types:
  - "Callback Phishing"
tactics_and_techniques:
  - "Impersonation: Brand"
  - "Out of band pivot"
  - "Social engineering"
detection_methods:
  - "Content analysis"
  - "Natural Language Understanding"
  - "Sender analysis"
id: "ca6ff69e-f80c-534c-92b9-1949e473dfb2"