Brand impersonation: American Express (AMEX)
Impersonation of the credit card provider American Express.
Sublime rule (View on GitHub)
1name: "Brand impersonation: American Express (AMEX)"
2description: |
3 Impersonation of the credit card provider American Express.
4references:
5 - "https://www.inc.com/joseph-steinberg/american-express-users-beware-this-scam.html"
6type: "rule"
7severity: "low"
8source: |
9 type.inbound
10 and (
11 strings.ilike(sender.display_name, '*american express*')
12 or strings.ilevenshtein(sender.display_name, 'american express') <= 2
13 or strings.ilike(sender.email.domain.domain, '*americanexpress*')
14 )
15 and sender.email.domain.root_domain not in (
16 'aexp.com',
17 'americanexpress.com',
18 'americanexpress.co.uk',
19 'aexpfeedback.com',
20 'amexnetwork.com',
21 'accountonline.com',
22 'transunion.com',
23 'amexgiftcard.com',
24 'amexgbt.com',
25 'citi.com'
26 )
27 and sender.email.domain.domain not in ('accountprotection.microsoft.com')
28 and sender.email.email not in $recipient_emails
29attack_types:
30 - "Credential Phishing"
31tactics_and_techniques:
32 - "Impersonation: Brand"
33 - "Lookalike domain"
34 - "Social engineering"
35detection_methods:
36 - "Header analysis"
37 - "Sender analysis"
38id: "992a9fa9-84ee-5065-8486-b3a2a8ffa676"