Low Severity

Brand impersonation: American Express (AMEX)

Labels

Credential Phishing

Impersonation: Brand

Description

Impersonation of the credit card provider American Express.

References

https://www.inc.com/joseph-steinberg/american-express-users-beware-this-scam.html

Sublime Security

Created Aug 17th, 2023 • Last updated Jul 10th, 2025

Feed Source

Sublime Core Feed

Source

GitHub

type.inbound
and (
  regex.icontains(sender.display_name, 'american ?express')
  or strings.ilike(sender.display_name, "*amer?can expres*")
  or strings.ilevenshtein(sender.display_name, 'american express') <= 2
  or strings.ilike(sender.email.domain.domain, '*americanexpress*')
)
and sender.email.domain.root_domain not in (
  'aexp.com',
  'americanexpress.ae',
  'americanexpress.com',
  'americanexpress.co.uk',
  'americanexpress.com.bh',
  'aexpfeedback.com',
  'amexnetwork.com',
  'accountonline.com',
  'transunion.com',
  'amexgiftcard.com',
  'amexgbt.com',
  'herrickstravelamex.com',
  'citi.com',
  'secure.com',
  'nectar.com',
  'accentinfomedia.com',
  'egencia.com'
)
and sender.email.domain.domain not in ('accountprotection.microsoft.com', 'amex.membershipmail.net')

and not profile.by_sender().solicited

// negate highly trusted sender domains unless they fail DMARC authentication
and (
  (
    sender.email.domain.root_domain in $high_trust_sender_root_domains
    and not headers.auth_summary.dmarc.pass
  )
  or sender.email.domain.root_domain not in $high_trust_sender_root_domains
)

MQL Rule Console

•Docs•Learning Labs

Playground

Test against your own EMLs or sample data.

Post about this on your socials.

Get Started. Today.

Managed or self-managed. No MX changes.