Low Severity

Brand impersonation: Amazon

Labels

Description

Impersonation of Amazon. These are most commonly fake shipping notifications. Amazon is the #2 most-impersonated brand (as of Q2 2020)

References

https://www.pcmag.com/news/google-and-amazon-are-impersonated-the-most-in-phishing-scams

https://sellercentral.amazon.com/gp/help/external/32261?language=en-US

Sublime Security

Created Aug 17th, 2023 • Last updated Apr 18th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and not any(headers.hops,
            any(.fields, .name == 'X-Amazon-Mail-Relay-Type' and .value == "notification")
)
and (
  regex.icontains(sender.display_name,
                  '\b[aaa𝝰aａ𝑎𝗮𝕒𝖆𝓪𝚊𝞪аɑα𝔞𝒂𝘢𝛂⍺𝒶𝙖𝜶𝛼𝐚𝖺]maz[o0]n\s?(pay|marketplace|\.com)|ᵃ⤻ᶻ'
  )
  or strings.ilevenshtein(sender.display_name, 'amazon.com') <= 1
  or strings.ilevenshtein(sender.display_name, 'amazon pay') <= 1
  or strings.ilevenshtein(sender.display_name, 'amazon marketplace') <= 1
  or strings.ilevenshtein(sender.display_name, 'amazon customer support') <= 1
  or regex.icontains(sender.display_name, "prime (subscription|notification|support)")
  or strings.ilike(subject.subject, "*prime membership*")
  or (
    strings.ilevenshtein(sender.display_name, 'amazon') <= 1
    and sender.email.domain.root_domain in $free_email_providers
  )
)
// negate listservs
and not (
    any(headers.hops, any(.fields, .name == "List-Unsubscribe"))
    and strings.contains(sender.display_name, "via")
)
and sender.email.domain.root_domain not in~ (
  'amazon.com',
  'amazon.com.au',
  'amazon.de',
  'amazon.es',
  'amazon.fr',
  'amazon.it',
  'amazon.in',
  'amazon.lu',
  'amazon.nl',
  'amazonsellerservices.com',
  'amazon.ae',
  'amazon.sa',
  'amazon.com.be',
  'amazon.com.sg',
  'amazon.co.uk',
  'amazon.co.jp',
  'amazon.com.mx',
  'amazon.com.br',
  'amazon.com.tr',
  'amazon.cn',
  'amazon.ca',
  'amazon.sg',
  'amazonpay.in',
  'amazonpay.com',
  'q4inc.com',
  'synchronybank.com',
  'opodo.com',
  'flynas.com',
  'amazonmusic.com'
)

// negate amazon.com.be explicitly, this cannot be part of the root_domain set above as it uses the PSL (Public suffix list) for parsing and com.be is owned by amazon directly.
and sender.email.domain.domain not in~ (
  'amazon.com.be',
)

and sender.email.email not in $recipient_emails
and sender.email.domain.domain not in $org_domains

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.