Brand impersonation: American Express (AMEX)
Impersonation of the credit card provider American Express.
Sublime rule (View on GitHub)
1name: "Brand impersonation: American Express (AMEX)"
2description: |
3 Impersonation of the credit card provider American Express.
4references:
5 - "https://www.inc.com/joseph-steinberg/american-express-users-beware-this-scam.html"
6type: "rule"
7severity: "low"
8source: |
9 type.inbound
10 and (
11 regex.icontains(strings.replace_confusables(sender.display_name),
12 'american ?express'
13 )
14 or strings.ilike(sender.display_name, "*amer?can expres*")
15 or strings.ilevenshtein(sender.display_name, 'american express') <= 2
16 or strings.icontains(body.current_thread.text,
17 'american express customer service'
18 )
19 or strings.ilike(sender.email.domain.domain, '*americanexpress*')
20 )
21 and sender.email.domain.root_domain not in (
22 'aexp.com',
23 'americanexpress.ae',
24 'americanexpress.com',
25 'americanexpress.co.uk',
26 'americanexpress.com.bh',
27 'aexpfeedback.com',
28 'amexnetwork.com',
29 'accountonline.com',
30 'transunion.com',
31 'amexgiftcard.com',
32 'amexgbt.com',
33 'herrickstravelamex.com',
34 'citi.com',
35 'secure.com',
36 'nectar.com',
37 'accentinfomedia.com',
38 'egencia.com'
39 )
40 and sender.email.domain.domain not in (
41 'accountprotection.microsoft.com',
42 'amex.membershipmail.net'
43 )
44 and not profile.by_sender().solicited
45
46 // negate highly trusted sender domains unless they fail DMARC authentication
47 and (
48 (
49 sender.email.domain.root_domain in $high_trust_sender_root_domains
50 and not headers.auth_summary.dmarc.pass
51 )
52 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
53 )
54attack_types:
55 - "Credential Phishing"
56tactics_and_techniques:
57 - "Impersonation: Brand"
58 - "Lookalike domain"
59 - "Social engineering"
60detection_methods:
61 - "Header analysis"
62 - "Sender analysis"
63id: "992a9fa9-84ee-5065-8486-b3a2a8ffa676"