Detection rules โบ Sublime MQL
Brand impersonation: Amazon
Impersonation of Amazon. These are most commonly fake shipping notifications. Amazon is the #2 most-impersonated brand (as of Q2 2020)
Threat classification
Sublime's own taxonomy (not MITRE ATT&CK).
| Category | Values |
|---|---|
| Attack types | Credential Phishing |
| Tactics and techniques | Impersonation: Brand, Social engineering |
Event coverage
Rule body MQL
type.inbound
and not any(headers.hops,
any(.fields,
.name == 'X-Amazon-Mail-Relay-Type' and .value == "notification"
)
)
and (
regex.icontains(sender.display_name,
'\b[aaa๐ฐa๏ฝ๐๐ฎ๐๐๐ช๐๐ชะฐษฮฑ๐๐๐ข๐โบ๐ถ๐๐ถ๐ผ๐๐บ]maz[o0]n\s?(pay|marketplace|\.com)|แตโคปแถป'
)
or strings.ilevenshtein(sender.display_name, 'amazon.com') <= 1
or strings.ilevenshtein(sender.display_name, 'amazon pay') <= 1
or strings.ilevenshtein(sender.display_name, 'amazon marketplace') <= 1
or strings.ilevenshtein(sender.display_name, 'amazon customer support') <= 1
or regex.icontains(sender.display_name,
"prime (subscription|notification|support)"
)
or strings.ilike(subject.subject, "*prime membership*")
or (
strings.ilevenshtein(sender.display_name, 'amazon') <= 1
and sender.email.domain.root_domain in $free_email_providers
)
or (
any(ml.nlu_classifier(body.current_thread.text).intents,
.name == "cred_theft" and .confidence == "high"
)
and any(beta.ml_topic(body.current_thread.text).topics,
.name in (
"Security and Authentication",
"Secure Message",
"Reminders and Notifications",
"Order Confirmations",
"Customer Service and Support"
)
)
and strings.icontains(body.current_thread.text, "amazon")
)
)
// negate listservs
and not (
any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
and strings.contains(sender.display_name, "via")
)
and sender.email.domain.root_domain not in~ (
'amazon.com',
'amazon.com.au',
'amazon.de',
'amazon.es',
'amazon.fr',
'amazon.it',
'amazon.in',
'amazon.lu',
'amazon.nl',
'amazonsellerservices.com',
'amazon.ae',
'amazon.sa',
'amazon.com.sg',
'amazon.co.uk',
'amazon.co.jp',
'amazon.com.mx',
'amazon.com.br',
'amazon.com.tr',
'amazon.cn',
'amazon.ca',
'amazon.sg',
'amazonaws.cn',
'amazonpay.in',
'amazonpay.com',
'q4inc.com',
'synchronybank.com',
'opodo.com',
'flynas.com',
'amazonmusic.com',
'blink.com',
'affirm.com',
'amazon.work',
'amazon.jobs',
'rocketmoney.com',
'registrar.amazon',
'amazonworkspaces.com',
'awsapps.com',
'aws.com',
'awsevents.com',
'amazon.se',
'amazon.ie',
'amazonconnect.com',
'aws-experience.com',
'proofpointessentials.com',
'area1security.com'
)
// negate amazon.com.be explicitly, this cannot be part of the root_domain set above as it uses the PSL (Public suffix list) for parsing and com.be is owned by amazon directly.
and sender.email.domain.domain not in~ ('amazon.com.be')
and sender.email.email not in $recipient_emails
and sender.email.domain.domain not in $org_domains
// negate highly trusted sender domains unless they fail DMARC authentication
and (
(
sender.email.domain.root_domain in $high_trust_sender_root_domains
and not headers.auth_summary.dmarc.pass
)
or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)
Detection logic
Scope: inbound message.
Impersonation of Amazon. These are most commonly fake shipping notifications. Amazon is the #2 most-impersonated brand (as of Q2 2020)
- inbound message
not:
any of
headers.hopswhere:any of
.fieldswhere all hold:- .name is 'X-Amazon-Mail-Relay-Type'
- .value is 'notification'
any of:
- sender.display_name matches '\\b[aaa๐ฐa๏ฝ๐๐ฎ๐๐๐ช๐๐ชะฐษฮฑ๐๐๐ข๐โบ๐ถ๐๐ถ๐ผ๐๐บ]maz[o0]n\\s?(pay|marketplace|\\.com)|แตโคปแถป'
- sender.display_name is similar to 'amazon.com'
- sender.display_name is similar to 'amazon pay'
- sender.display_name is similar to 'amazon marketplace'
- sender.display_name is similar to 'amazon customer support'
- sender.display_name matches 'prime (subscription|notification|support)'
- subject.subject matches '*prime membership*'
all of:
- sender.display_name is similar to 'amazon'
- sender.email.domain.root_domain in $free_email_providers
all of:
any of
ml.nlu_classifier(body.current_thread.text).intentswhere all hold:- .name is 'cred_theft'
- .confidence is 'high'
any of
beta.ml_topic(body.current_thread.text).topicswhere:- .name in ('Security and Authentication', 'Secure Message', 'Reminders and Notifications', 'Order Confirmations', 'Customer Service and Support')
- body.current_thread.text contains 'amazon'
not:
all of:
any of
headers.hopswhere:any of
.fieldswhere:- .name is 'List-Unsubscribe'
- sender.display_name contains 'via'
- sender.email.domain.root_domain not in ('amazon.com', 'amazon.com.au', 'amazon.de', 'amazon.es', 'amazon.fr', 'amazon.it', 'amazon.in', 'amazon.lu', 'amazon.nl', 'amazonsellerservices.com', 'amazon.ae', 'amazon.sa', 'amazon.com.sg', 'amazon.co.uk', 'amazon.co.jp', 'amazon.com.mx', 'amazon.com.br', 'amazon.com.tr', 'amazon.cn', 'amazon.ca', 'amazon.sg', 'amazonaws.cn', 'amazonpay.in', 'amazonpay.com', 'q4inc.com', 'synchronybank.com', 'opodo.com', 'flynas.com', 'amazonmusic.com', 'blink.com', 'affirm.com', 'amazon.work', 'amazon.jobs', 'rocketmoney.com', 'registrar.amazon', 'amazonworkspaces.com', 'awsapps.com', 'aws.com', 'awsevents.com', 'amazon.se', 'amazon.ie', 'amazonconnect.com', 'aws-experience.com', 'proofpointessentials.com', 'area1security.com')
- sender.email.domain.domain not in ('amazon.com.be')
- sender.email.email not in $recipient_emails
- sender.email.domain.domain not in $org_domains
any of:
all of:
- sender.email.domain.root_domain in $high_trust_sender_root_domains
not:
- headers.auth_summary.dmarc.pass
- sender.email.domain.root_domain not in $high_trust_sender_root_domains
Inspects: body.current_thread.text, headers.auth_summary.dmarc.pass, headers.hops, headers.hops[].fields, headers.hops[].fields[].name, headers.hops[].fields[].value, sender.display_name, sender.email.domain.domain, sender.email.domain.root_domain, sender.email.email, subject.subject, type.inbound. Sensors: beta.ml_topic, ml.nlu_classifier, regex.icontains, strings.contains, strings.icontains, strings.ilevenshtein, strings.ilike. Reference lists: $free_email_providers, $high_trust_sender_root_domains, $org_domains, $recipient_emails.
Indicators matched (66)
| Field | Match | Value |
|---|---|---|
headers.hops[].fields[].name | equals | X-Amazon-Mail-Relay-Type |
headers.hops[].fields[].value | equals | notification |
regex.icontains | regex | \b[aaa๐ฐa๏ฝ๐๐ฎ๐๐๐ช๐๐ชะฐษฮฑ๐๐๐ข๐โบ๐ถ๐๐ถ๐ผ๐๐บ]maz[o0]n\s?(pay|marketplace|\.com)|แตโคปแถป |
strings.ilevenshtein | fuzzy | amazon.com |
strings.ilevenshtein | fuzzy | amazon pay |
strings.ilevenshtein | fuzzy | amazon marketplace |
strings.ilevenshtein | fuzzy | amazon customer support |
regex.icontains | regex | prime (subscription|notification|support) |
strings.ilike | substring | *prime membership* |
strings.ilevenshtein | fuzzy | amazon |
ml.nlu_classifier(body.current_thread.text).intents[].name | equals | cred_theft |
ml.nlu_classifier(body.current_thread.text).intents[].confidence | equals | high |
54 more
beta.ml_topic(body.current_thread.text).topics[].name | member | Security and Authentication |
beta.ml_topic(body.current_thread.text).topics[].name | member | Secure Message |
beta.ml_topic(body.current_thread.text).topics[].name | member | Reminders and Notifications |
beta.ml_topic(body.current_thread.text).topics[].name | member | Order Confirmations |
beta.ml_topic(body.current_thread.text).topics[].name | member | Customer Service and Support |
strings.icontains | substring | amazon |
headers.hops[].fields[].name | equals | List-Unsubscribe |
strings.contains | substring | via |
sender.email.domain.root_domain | member | amazon.com |
sender.email.domain.root_domain | member | amazon.com.au |
sender.email.domain.root_domain | member | amazon.de |
sender.email.domain.root_domain | member | amazon.es |
sender.email.domain.root_domain | member | amazon.fr |
sender.email.domain.root_domain | member | amazon.it |
sender.email.domain.root_domain | member | amazon.in |
sender.email.domain.root_domain | member | amazon.lu |
sender.email.domain.root_domain | member | amazon.nl |
sender.email.domain.root_domain | member | amazonsellerservices.com |
sender.email.domain.root_domain | member | amazon.ae |
sender.email.domain.root_domain | member | amazon.sa |
sender.email.domain.root_domain | member | amazon.com.sg |
sender.email.domain.root_domain | member | amazon.co.uk |
sender.email.domain.root_domain | member | amazon.co.jp |
sender.email.domain.root_domain | member | amazon.com.mx |
sender.email.domain.root_domain | member | amazon.com.br |
sender.email.domain.root_domain | member | amazon.com.tr |
sender.email.domain.root_domain | member | amazon.cn |
sender.email.domain.root_domain | member | amazon.ca |
sender.email.domain.root_domain | member | amazon.sg |
sender.email.domain.root_domain | member | amazonaws.cn |
sender.email.domain.root_domain | member | amazonpay.in |
sender.email.domain.root_domain | member | amazonpay.com |
sender.email.domain.root_domain | member | q4inc.com |
sender.email.domain.root_domain | member | synchronybank.com |
sender.email.domain.root_domain | member | opodo.com |
sender.email.domain.root_domain | member | flynas.com |
sender.email.domain.root_domain | member | amazonmusic.com |
sender.email.domain.root_domain | member | blink.com |
sender.email.domain.root_domain | member | affirm.com |
sender.email.domain.root_domain | member | amazon.work |
sender.email.domain.root_domain | member | amazon.jobs |
sender.email.domain.root_domain | member | rocketmoney.com |
sender.email.domain.root_domain | member | registrar.amazon |
sender.email.domain.root_domain | member | amazonworkspaces.com |
sender.email.domain.root_domain | member | awsapps.com |
sender.email.domain.root_domain | member | aws.com |
sender.email.domain.root_domain | member | awsevents.com |
sender.email.domain.root_domain | member | amazon.se |
sender.email.domain.root_domain | member | amazon.ie |
sender.email.domain.root_domain | member | amazonconnect.com |
sender.email.domain.root_domain | member | aws-experience.com |
sender.email.domain.root_domain | member | proofpointessentials.com |
sender.email.domain.root_domain | member | area1security.com |
sender.email.domain.domain | member | amazon.com.be |