Brand impersonation: American Express (AMEX)

Impersonation of the credit card provider American Express.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: American Express (AMEX)"
 2description: |
 3    Impersonation of the credit card provider American Express.
 4references:
 5  - "https://www.inc.com/joseph-steinberg/american-express-users-beware-this-scam.html"
 6type: "rule"
 7severity: "low"
 8source: |
 9  type.inbound
10  and (
11    strings.ilike(sender.display_name, '*american express*')
12    or strings.ilevenshtein(sender.display_name, 'american express') <= 2
13    or strings.ilike(sender.email.domain.domain, '*americanexpress*')
14  )
15  and sender.email.domain.root_domain not in (
16    'aexp.com',
17    'americanexpress.com',
18    'americanexpress.co.uk',
19    'aexpfeedback.com',
20    'amexnetwork.com',
21    'accountonline.com',
22    'transunion.com',
23    'amexgiftcard.com',
24    'amexgbt.com',
25    'citi.com'
26  )
27  and sender.email.domain.domain not in ('accountprotection.microsoft.com')
28  and sender.email.email not in $recipient_emails  
29attack_types:
30  - "Credential Phishing"
31tactics_and_techniques:
32  - "Impersonation: Brand"
33  - "Lookalike domain"
34  - "Social engineering"
35detection_methods:
36  - "Header analysis"
37  - "Sender analysis"
38id: "992a9fa9-84ee-5065-8486-b3a2a8ffa676"
to-top