Low Severity

Brand impersonation: Amazon

Labels

Description

Impersonation of Amazon. These are most commonly fake shipping notifications. Amazon is the #2 most-impersonated brand (as of Q2 2020)

References

https://www.pcmag.com/news/google-and-amazon-are-impersonated-the-most-in-phishing-scams

https://sellercentral.amazon.com/gp/help/external/32261?language=en-US

Sublime Security

Created Aug 17th, 2023 • Last updated Nov 4th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and not any(headers.hops,
            any(.fields,
                .name == 'X-Amazon-Mail-Relay-Type' and .value == "notification"
            )
)
and (
  regex.icontains(sender.display_name,
                  '\b[aaa𝝰aａ𝑎𝗮𝕒𝖆𝓪𝚊𝞪аɑα𝔞𝒂𝘢𝛂⍺𝒶𝙖𝜶𝛼𝐚𝖺]maz[o0]n\s?(pay|marketplace|\.com)|ᵃ⤻ᶻ'
  )
  or strings.ilevenshtein(sender.display_name, 'amazon.com') <= 1
  or strings.ilevenshtein(sender.display_name, 'amazon pay') <= 1
  or strings.ilevenshtein(sender.display_name, 'amazon marketplace') <= 1
  or strings.ilevenshtein(sender.display_name, 'amazon customer support') <= 1
  or regex.icontains(sender.display_name,
                     "prime (subscription|notification|support)"
  )
  or strings.ilike(subject.subject, "*prime membership*")
  or (
    strings.ilevenshtein(sender.display_name, 'amazon') <= 1
    and sender.email.domain.root_domain in $free_email_providers
  )
  or (
    any(ml.nlu_classifier(body.current_thread.text).intents,
        .name == "cred_theft" and .confidence == "high"
    )
    and any(beta.ml_topic(body.current_thread.text).topics,
            .name in (
              "Security and Authentication",
              "Secure Message",
              "Reminders and Notifications",
              "Order Confirmations",
              "Customer Service and Support"
            )
    )
    and strings.icontains(body.current_thread.text, "amazon")
  )
)
// negate listservs
and not (
  any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
  and strings.contains(sender.display_name, "via")
)
and sender.email.domain.root_domain not in~ (
  'amazon.com',
  'amazon.com.au',
  'amazon.de',
  'amazon.es',
  'amazon.fr',
  'amazon.it',
  'amazon.in',
  'amazon.lu',
  'amazon.nl',
  'amazonsellerservices.com',
  'amazon.ae',
  'amazon.sa',
  'amazon.com.be',
  'amazon.com.sg',
  'amazon.co.uk',
  'amazon.co.jp',
  'amazon.com.mx',
  'amazon.com.br',
  'amazon.com.tr',
  'amazon.cn',
  'amazon.ca',
  'amazon.sg',
  'amazonaws.cn',
  'amazonpay.in',
  'amazonpay.com',
  'q4inc.com',
  'synchronybank.com',
  'opodo.com',
  'flynas.com',
  'amazonmusic.com',
  'blink.com',
  'affirm.com',
  'amazon.work',
  'amazon.jobs',
  'rocketmoney.com',
  'registrar.amazon',
  'amazonworkspaces.com',
  'awsapps.com',
  'aws.com',
  'awsevents.com',
  'amazon.se',
  'amazon.ie',
  'amazonconnect.com',
  'aws-experience.com',
  'proofpointessentials.com',
  'area1security.com'
)

// negate amazon.com.be explicitly, this cannot be part of the root_domain set above as it uses the PSL (Public suffix list) for parsing and com.be is owned by amazon directly.
and sender.email.domain.domain not in~ ('amazon.com.be', )
and sender.email.email not in $recipient_emails
and sender.email.domain.domain not in $org_domains

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.