This detection rule identifies potential brand impersonation attacks specifically targeting users of American Express (AMEX). It checks for indicators such as variations in the sender's display name that resemble 'American Express', including character substitutions and typographical errors, using string similarity checks. The rule also examines the sender's email domain to determine if it closely mimics or resembles the legitimate domains associated with American Express, such as 'americanexpress.com'. Through exclusion of known legitimate AMEX domains, this rule aims to flag suspicious communications that may be part of credential phishing attempts, where attackers impersonate the brand to steal sensitive information from unsuspecting users. Additionally, it takes into account the sender's solicitation history and incorporates DMARC authentication analysis to reject trusted senders who fail authentication checks, enhancing its accuracy in mitigating phishing risks. Overall, the rule aims to provide a protective measure against impersonation tactics that exploit American Express credentials.