detection.wiki

Detection rules › Sublime MQL

Brand impersonation: Amazon with suspicious attachment

Severity
medium
Type
rule
Source
github.com/sublime-security/sublime-rules

Impersonation of Amazon. These are most commonly fake shipping notifications. Amazon is the #2 most-impersonated brand (as of Q2 2020)

Threat classification

Sublime's own taxonomy (not MITRE ATT&CK).

CategoryValues
Attack typesCredential Phishing
Tactics and techniquesImpersonation: Brand, Social engineering

Event coverage

Message attribute
attachments (collection)
body.current_thread
sender
sender.email
type

Rule body MQL

type.inbound
and (
  strings.ilike(sender.display_name, "amazon*")
  or any(attachments, strings.icontains(.file_name, "amazon"))
  or any(attachments,
         (.file_type in $file_types_images or .file_type == "pdf")
         and any(file.explode(.), strings.icontains(.scan.ocr.raw, "amazon"))
  )
)
and any(attachments,
        (.file_type in $file_types_images or .file_type == "pdf")
        and any(ml.logo_detect(.).brands,
                .name == "Amazon" and .confidence in~ ("medium", "high")
        )
        and (
          any(file.explode(.),
              any(ml.nlu_classifier(.scan.ocr.raw).intents,
                  .name != "benign" and .confidence == "high"
              )
          )
          or any(ml.nlu_classifier(body.current_thread.text).intents,
                 .name != "benign" and .confidence == "high"
          )
        )
)
and (
  not profile.by_sender().solicited
  or (
    profile.by_sender().any_messages_malicious_or_spam
    and not profile.by_sender().any_messages_benign
  )
)
and sender.email.domain.root_domain not in~ (
  'a2z.com',
  'amazon.com',
  'amazon.com.au',
  'amazon.co.uk',
  'amazon.de',
  'amazon.es',
  'amazon.fr',
  'amazon.it',
  'amazon.in',
  'amazon.lu',
  'amazon.com.au',
  'amazonsellerservices.com',
  'amazon.ae',
  'amazon.sa',
  'amazon.cn',
  'amazon.ca',
  'amazon.com.mx',
  'amazon.com.br',
  'amazon.ph',
  'amazon.sg',
  'amazon.com.tr',
  'amazonpay.in',
  'amazonpay.com',
  'synchronybank.com',
  'aws.com'
)

Detection logic

Scope: inbound message.

Impersonation of Amazon. These are most commonly fake shipping notifications. Amazon is the #2 most-impersonated brand (as of Q2 2020)

  1. inbound message
  2. any of:
    • sender.display_name matches 'amazon*'
    • any of attachments where:
      • .file_name contains 'amazon'
    • any of attachments where all hold:
      • any of:
        • .file_type in $file_types_images
        • .file_type is 'pdf'
      • any of file.explode(.) where:
        • .scan.ocr.raw contains 'amazon'
  3. any of attachments where all hold:
    • any of:
      • .file_type in $file_types_images
      • .file_type is 'pdf'
    • any of ml.logo_detect(.).brands where all hold:
      • .name is 'Amazon'
      • .confidence in ('medium', 'high')
    • any of:
      • any of file.explode(.) where:
        • any of ml.nlu_classifier(.scan.ocr.raw).intents where all hold:
          • .name is not 'benign'
          • .confidence is 'high'
      • any of ml.nlu_classifier(body.current_thread.text).intents where all hold:
        • .name is not 'benign'
        • .confidence is 'high'
  4. any of:
    • not:
      • profile.by_sender().solicited
    • all of:
      • profile.by_sender().any_messages_malicious_or_spam
      • not:
        • profile.by_sender().any_messages_benign
  5. sender.email.domain.root_domain not in ('a2z.com', 'amazon.com', 'amazon.com.au', 'amazon.co.uk', 'amazon.de', 'amazon.es', 'amazon.fr', 'amazon.it', 'amazon.in', 'amazon.lu', 'amazon.com.au', 'amazonsellerservices.com', 'amazon.ae', 'amazon.sa', 'amazon.cn', 'amazon.ca', 'amazon.com.mx', 'amazon.com.br', 'amazon.ph', 'amazon.sg', 'amazon.com.tr', 'amazonpay.in', 'amazonpay.com', 'synchronybank.com', 'aws.com')

Inspects: attachments[].file_name, attachments[].file_type, body.current_thread.text, sender.display_name, sender.email.domain.root_domain, type.inbound. Sensors: file.explode, ml.logo_detect, ml.nlu_classifier, profile.by_sender, strings.icontains, strings.ilike. Reference lists: $file_types_images.

Indicators matched (32)

FieldMatchValue
strings.ilikesubstringamazon*
strings.icontainssubstringamazon
attachments[].file_typeequalspdf
ml.logo_detect(attachments[]).brands[].nameequalsAmazon
ml.logo_detect(attachments[]).brands[].confidencemembermedium
ml.logo_detect(attachments[]).brands[].confidencememberhigh
ml.nlu_classifier(file.explode(attachments[])[].scan.ocr.raw).intents[].confidenceequalshigh
ml.nlu_classifier(body.current_thread.text).intents[].confidenceequalshigh
sender.email.domain.root_domainmembera2z.com
sender.email.domain.root_domainmemberamazon.com
sender.email.domain.root_domainmemberamazon.com.au
sender.email.domain.root_domainmemberamazon.co.uk
20 more
sender.email.domain.root_domainmemberamazon.de
sender.email.domain.root_domainmemberamazon.es
sender.email.domain.root_domainmemberamazon.fr
sender.email.domain.root_domainmemberamazon.it
sender.email.domain.root_domainmemberamazon.in
sender.email.domain.root_domainmemberamazon.lu
sender.email.domain.root_domainmemberamazonsellerservices.com
sender.email.domain.root_domainmemberamazon.ae
sender.email.domain.root_domainmemberamazon.sa
sender.email.domain.root_domainmemberamazon.cn
sender.email.domain.root_domainmemberamazon.ca
sender.email.domain.root_domainmemberamazon.com.mx
sender.email.domain.root_domainmemberamazon.com.br
sender.email.domain.root_domainmemberamazon.ph
sender.email.domain.root_domainmemberamazon.sg
sender.email.domain.root_domainmemberamazon.com.tr
sender.email.domain.root_domainmemberamazonpay.in
sender.email.domain.root_domainmemberamazonpay.com
sender.email.domain.root_domainmembersynchronybank.com
sender.email.domain.root_domainmemberaws.com