This detection rule aims to identify and mitigate phishing attempts that exploit the Google Accelerated Mobile Pages (AMP) URL structure to mislead users. The rule focuses on specific URL patterns characteristic of Google AMP, notably URLs that include the second-level domain (SLD) 'google' and a path that starts with '/amp'. It conducts a detailed analysis of the linked website's content to differentiate between legitimate AMP sites and those intending to deceive users, such as by containing logos from other brands, presenting login prompts or captchas, or being flagged as phishing by various analytics. It also assesses the appropriateness of the display text and the inclusion of user-specific information in the URL path, which are additional indicators of potential phishing attacks. By combining multiple methods—including computer vision, natural language processing, and URL scrutiny—the rule aims to provide a comprehensive evaluation of suspicious links that leverage Google AMP infrastructure.