From 2609ced367a4ebe0781ebdd796cf68bef283674d Mon Sep 17 00:00:00 2001
From: Rishi <hakrishi@pm.me>
Date: Tue, 27 Feb 2024 19:37:59 +0000
Subject: [PATCH] american-express-phishing-website

---
 http/phishing/american-express-phish.yaml | 34 +++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 http/phishing/american-express-phish.yaml

diff --git a/http/phishing/american-express-phish.yaml b/http/phishing/american-express-phish.yaml
new file mode 100644
index 0000000000..ecf037d8d5
--- /dev/null
+++ b/http/phishing/american-express-phish.yaml
@@ -0,0 +1,34 @@
+id: american-express-phish
+
+info:
+  name: american-express phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    An american express phishing website was detected
+  reference:
+    - https://www.americanexpress.com
+  tags: phishing,american-express
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Credit Cards, Rewards, Travel and Business Services | American Express'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"americanexpress.com")'
\ No newline at end of file