From b1d71e84b72754576a0d15469b0097d1c1b72bb2 Mon Sep 17 00:00:00 2001
From: Peter Djordjevic <116412909+peterdj45@users.noreply.github.com>
Date: Thu, 18 Dec 2025 19:40:33 -0800
Subject: [PATCH 1/2] Update impersonation_amazon.yml

---
 detection-rules/impersonation_amazon.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/detection-rules/impersonation_amazon.yml b/detection-rules/impersonation_amazon.yml
index f4ef7367cd7..26b13bed718 100644
--- a/detection-rules/impersonation_amazon.yml
+++ b/detection-rules/impersonation_amazon.yml
@@ -16,7 +16,7 @@ source: |
   )
   and (
     regex.icontains(sender.display_name,
-                    '\b[aaa𝝰aａ𝑎𝗮𝕒𝖆𝓪𝚊𝞪аɑα𝔞𝒂𝘢𝛂⍺𝒶𝙖𝜶𝛼𝐚𝖺]maz[o0]n\s?(pay|marketplace|\.com)|ᵃ⤻ᶻ'
+                    '\b[aaa𝝰aａ𝑎𝗮𝕒𝖆𝓪𝚊𝞪аɑα𝔞𝒂𝘢𝛂⍺𝒶𝙖𝜶𝛼𝐚𝖺]maz[o0]n\s?(pay|marketplace|\.com|\.\w{2}\b|\.com?\.\w{2})|ᵃ⤻ᶻ'
     )
     or strings.ilevenshtein(sender.display_name, 'amazon.com') <= 1
     or strings.ilevenshtein(sender.display_name, 'amazon pay') <= 1

From 64e39df5a173981d81879a0cc1b18370e3d8c61a Mon Sep 17 00:00:00 2001
From: Peter Djordjevic <116412909+peterdj45@users.noreply.github.com>
Date: Thu, 18 Dec 2025 19:47:16 -0800
Subject: [PATCH 2/2] Update impersonation_amazon.yml

---
 detection-rules/impersonation_amazon.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/detection-rules/impersonation_amazon.yml b/detection-rules/impersonation_amazon.yml
index 26b13bed718..961920a4aef 100644
--- a/detection-rules/impersonation_amazon.yml
+++ b/detection-rules/impersonation_amazon.yml
@@ -16,7 +16,7 @@ source: |
   )
   and (
     regex.icontains(sender.display_name,
-                    '\b[aaa𝝰aａ𝑎𝗮𝕒𝖆𝓪𝚊𝞪аɑα𝔞𝒂𝘢𝛂⍺𝒶𝙖𝜶𝛼𝐚𝖺]maz[o0]n\s?(pay|marketplace|\.com|\.\w{2}\b|\.com?\.\w{2})|ᵃ⤻ᶻ'
+                    '\b[aaa𝝰aａ𝑎𝗮𝕒𝖆𝓪𝚊𝞪аɑα𝔞𝒂𝘢𝛂⍺𝒶𝙖𝜶𝛼𝐚𝖺]maz[o0]n\s?(pay|marketplace|\.com|\.\w{2}\b|\.co\.\w{2})|ᵃ⤻ᶻ'
     )
     or strings.ilevenshtein(sender.display_name, 'amazon.com') <= 1
     or strings.ilevenshtein(sender.display_name, 'amazon pay') <= 1