Merge pull request #14714 from rxerium/add-phishing-templates

Fishing For Phishing v2
2026-01-31 15:53:33 +08:00 · 2026-01-25 09:18:06 +09:00
parent f382849ec0 578b9ddb08
commit c5bf2ce082
286 changed files with 9903 additions and 9 deletions
--- a/http/miscellaneous/oauth-authorization-server-exposure.yaml
+++ b/http/miscellaneous/oauth-authorization-server-exposure.yaml
@@ -2,7 +2,7 @@ id: oauth-authorization-server-exposure

 info:
  name: Well-Known OAuth Authorization Server Metadata
-  author: rxeriums
+  author: rxerium
  severity: info
  description: |
    Detects OAuth 2.0 Authorization Server metadata (RFC 8414).
--- a/http/osint/phishing/1a-auto-phish.yaml
+++ b/http/osint/phishing/1a-auto-phish.yaml
@@ -0,0 +1,34 @@
+id: 1a-auto-phish
+
+info:
+  name: 1A Auto phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A 1A Auto phishing website was detected
+  reference:
+    - https://1aauto.com
+  metadata:
+    max-request: 1
+  tags: phishing,1a-auto,ecommerce,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>1A Auto | Aftermarket Car Parts -  Buy Quality Auto Parts Online'
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"1aauto.com")'
--- a/http/osint/phishing/ace-hardware-phish.yaml
+++ b/http/osint/phishing/ace-hardware-phish.yaml
@@ -0,0 +1,36 @@
+id: ace-hardware-phish
+
+info:
+  name: Ace Hardware phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    An Ace Hardware phishing website was detected
+  reference:
+    - https://acehardware.com
+  metadata:
+    max-request: 1
+  tags: phishing,ace-hardware,ecommerce,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Ace Hardware'
+          - 'Shop Ace Hardware for grills, hardware, home improvement, lawn and garden, and tools. Buy online &amp; pickup today!'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"acehardware.com")'
--- a/http/osint/phishing/advance-auto-phish.yaml
+++ b/http/osint/phishing/advance-auto-phish.yaml
@@ -0,0 +1,36 @@
+id: advance-auto-phish
+
+info:
+  name: Advance Auto Parts phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    An Advance Auto Parts phishing website was detected
+  reference:
+    - https://advanceautoparts.com
+  metadata:
+    max-request: 1
+  tags: phishing,advance-auto,ecommerce,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Advance Auto Parts: Car, Engine, Batteries, Brakes, Replacement, Performance &amp; Accessories'
+          - 'Advance Auto '
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"advanceautoparts.com")'
--- a/http/osint/phishing/affirm-phish.yaml
+++ b/http/osint/phishing/affirm-phish.yaml
@@ -0,0 +1,34 @@
+id: affirm-phish
+
+info:
+  name: Affirm phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Affirm phishing website was detected
+  reference:
+    - https://affirm.com
+  metadata:
+    max-request: 1
+  tags: phishing,affirm,payment,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>Affirm | Pay over time with flexible payment plans and no fees'
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"affirm.com")'
--- a/http/osint/phishing/afterpay-phish.yaml
+++ b/http/osint/phishing/afterpay-phish.yaml
@@ -0,0 +1,34 @@
+id: afterpay-phish
+
+info:
+  name: Afterpay phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Afterpay phishing website was detected
+  reference:
+    - https://afterpay.com
+  metadata:
+    max-request: 1
+  tags: phishing,afterpay,payment,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>Buy Now Pay Later with Afterpay'
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"afterpay.com")'
--- a/http/osint/phishing/airbnb-phish.yaml
+++ b/http/osint/phishing/airbnb-phish.yaml
@@ -0,0 +1,36 @@
+id: airbnb-phish
+
+info:
+  name: Airbnb phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    An Airbnb phishing website was detected
+  reference:
+    - https://airbnb.com
+  metadata:
+    max-request: 1
+  tags: phishing,airbnb,travel,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'https://a0.muscache.com/airbnb/static/'
+          - 'Airbnb'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"airbnb.com")'
--- a/http/osint/phishing/airtable-phish.yaml
+++ b/http/osint/phishing/airtable-phish.yaml
@@ -0,0 +1,34 @@
+id: airtable-phish
+
+info:
+  name: Airtable phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Airtable phishing website was detected
+  reference:
+    - https://airtable.com
+  metadata:
+    max-request: 1
+  tags: phishing,airtable,productivity,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Airtable: AI App Building for Enterprise - Airtable'
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"airtable.com")'
--- a/http/osint/phishing/ally-bank-phish.yaml
+++ b/http/osint/phishing/ally-bank-phish.yaml
@@ -0,0 +1,36 @@
+id: ally-bank-phish
+
+info:
+  name: Ally Bank phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    An Ally Bank phishing website was detected
+  reference:
+    - https://ally.com
+  metadata:
+    max-request: 1
+  tags: phishing,ally-bank,bank,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Ally'
+          - 'anage your money with Ally: online banking, auto financing, and investments. Financial products designed to help you pursue your goals.'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"ally.com")'
--- a/http/osint/phishing/amc-plus-phish.yaml
+++ b/http/osint/phishing/amc-plus-phish.yaml
@@ -0,0 +1,36 @@
+id: amc-plus-phish
+
+info:
+  name: AMC+ phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    An AMC+ phishing website was detected
+  reference:
+    - https://amcplus.com
+  metadata:
+    max-request: 1
+  tags: phishing,amc-plus,streaming,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'AMC+ features world-class originals, award-winning series, and exclusive movies. Includes Shudder &amp; Sundance Now. AMC+ is entertainment uncompromised. Start your free trial!'
+          - '<title>AMC+ | Premium Streaming Bundle | Watch TV Shows &amp; Movies'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"amcplus.com")'
--- a/http/osint/phishing/americanmuscle-phish.yaml
+++ b/http/osint/phishing/americanmuscle-phish.yaml
@@ -0,0 +1,34 @@
+id: americanmuscle-phish
+
+info:
+  name: AmericanMuscle phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    An AmericanMuscle phishing website was detected
+  reference:
+    - https://americanmuscle.com
+  metadata:
+    max-request: 1
+  tags: phishing,americanmuscle,ecommerce,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>Performance Muscle Car Parts & Accessories | AmericanMuscle'
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"americanmuscle.com")'
--- a/http/osint/phishing/amplitude-phish.yaml
+++ b/http/osint/phishing/amplitude-phish.yaml
@@ -0,0 +1,34 @@
+id: amplitude-phish
+
+info:
+  name: Amplitude phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Amplitude phishing website was detected
+  reference:
+    - https://amplitude.com
+  metadata:
+    max-request: 1
+  tags: phishing,amplitude,analytics,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>AI Analytics Platform for Modern Digital Analytics | Amplitude'
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"amplitude.com")'
--- a/http/osint/phishing/anthropic-phish.yaml
+++ b/http/osint/phishing/anthropic-phish.yaml
@@ -0,0 +1,37 @@
+id: anthropic-phish
+
+info:
+  name: Anthropic phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Anthropic phishing website was detected
+  reference:
+    - https://anthropic.com
+  metadata:
+    max-request: 1
+  tags: phishing,anthropic,claude,ai,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Anthropic'
+          - '<title>Home \ Anthropic'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"anthropic.com")'
+          - '!contains(host,"claude.ai")'
--- a/http/osint/phishing/anydo-phish.yaml
+++ b/http/osint/phishing/anydo-phish.yaml
@@ -0,0 +1,34 @@
+id: anydo-phish
+
+info:
+  name: Any.do phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Any.do phishing website was detected
+  reference:
+    - https://any.do
+  metadata:
+    max-request: 1
+  tags: phishing,anydo,productivity,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>A simple to do list for you and your team'
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"any.do")'
--- a/http/osint/phishing/anz-phish.yaml
+++ b/http/osint/phishing/anz-phish.yaml
@@ -0,0 +1,34 @@
+id: anz-phish
+
+info:
+  name: ANZ phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    An ANZ phishing website was detected
+  reference:
+    - https://anz.com
+  metadata:
+    max-request: 1
+  tags: phishing,anz,bank,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>ANZ Personal – Bank accounts, home loans, credit cards &amp; more | ANZ'
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"anz.com")'
--- a/http/osint/phishing/asana-phish.yaml
+++ b/http/osint/phishing/asana-phish.yaml
@@ -0,0 +1,36 @@
+id: asana-phish
+
+info:
+  name: Asana phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    An Asana phishing website was detected
+  reference:
+    - https://asana.com
+  metadata:
+    max-request: 1
+  tags: phishing,asana,productivity,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'window.AsanaStorage.optanonWrapperInitialized'
+          - 'Asana'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"asana.com")'
--- a/http/osint/phishing/atlassian-phish.yaml
+++ b/http/osint/phishing/atlassian-phish.yaml
@@ -0,0 +1,34 @@
+id: atlassian-phish
+
+info:
+  name: Atlassian phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    An Atlassian phishing website was detected
+  reference:
+    - https://atlassian.com
+  metadata:
+    max-request: 1
+  tags: phishing,atlassian,productivity,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'team collaboration software like Jira, Confluence and Trello help teams organize, discuss, and complete shared work.'
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"atlassian.com")'
--- a/http/osint/phishing/audible-phish.yaml
+++ b/http/osint/phishing/audible-phish.yaml
@@ -0,0 +1,37 @@
+id: audible-phish
+
+info:
+  name: Audible phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    An Audible phishing website was detected
+  reference:
+    - https://audible.com
+  metadata:
+    max-request: 1
+  tags: phishing,audible,amazon,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Audible'
+          - 'Try Audible free for 30 days! Start listening to best-selling audiobooks, exclusive Originals, and free podcasts with the Audible app.'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"audible.com")'
+          - '!contains(host,"amazon.com")'
--- a/http/osint/phishing/auth0-phish.yaml
+++ b/http/osint/phishing/auth0-phish.yaml
@@ -0,0 +1,35 @@
+id: auth0-phish
+
+info:
+  name: Auth0 phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    An Auth0 phishing website was detected
+  reference:
+    - https://auth0.com
+  metadata:
+    max-request: 1
+  tags: phishing,auth0,authentication,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'ecure users, AI agents, and more with Auth0, an easy-to-implement, scalable, and adaptable authentication and authorization platform.'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"auth0.com")'
--- a/http/osint/phishing/authy-phish.yaml
+++ b/http/osint/phishing/authy-phish.yaml
@@ -0,0 +1,34 @@
+id: authy-phish
+
+info:
+  name: Authy phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Authy phishing website was detected
+  reference:
+    - https://authy.com
+  metadata:
+    max-request: 1
+  tags: phishing,authy,security,2fa,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>Authy: Two-factor Authentication (2FA) App &amp; Guides | Authy'
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"authy.com")'
--- a/http/osint/phishing/autodesk-phish.yaml
+++ b/http/osint/phishing/autodesk-phish.yaml
@@ -0,0 +1,34 @@
+id: autodesk-phish
+
+info:
+  name: Autodesk phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Autodesk phishing website was detected
+  reference:
+    - https://autodesk.com
+  metadata:
+    max-request: 1
+  tags: phishing,autodesk,design,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>Autodesk | 3D Design, Engineering &amp; Construction Software'
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"autodesk.com")'
--- a/http/osint/phishing/autozone-phish.yaml
+++ b/http/osint/phishing/autozone-phish.yaml
@@ -0,0 +1,36 @@
+id: autozone-phish
+
+info:
+  name: AutoZone phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    An AutoZone phishing website was detected
+  reference:
+    - https://autozone.com
+  metadata:
+    max-request: 1
+  tags: phishing,autozone,ecommerce,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'AutoZone'
+          - 'Shop top-quality auto parts at AutoZone. Your go-to source for car and truck parts, DIY repair advice, and Free Next Day Delivery. Shop at over 6300 locations nationwide'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"autozone.com")'
--- a/http/osint/phishing/azure-phish.yaml
+++ b/http/osint/phishing/azure-phish.yaml
@@ -0,0 +1,35 @@
+id: azure-phish
+
+info:
+  name: Microsoft Azure phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Microsoft Azure phishing website was detected
+  reference:
+    - https://azure.microsoft.com
+  metadata:
+    max-request: 1
+  tags: phishing,azure,microsoft,cloud,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Invent with purpose, realize cost savings, and make your organization more efficient with Microsoft Azure’s open and flexible cloud computing platform.'
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"azure.com")'
+          - '!contains(host,"microsoft.com")'
--- a/http/osint/phishing/backblaze-phish.yaml
+++ b/http/osint/phishing/backblaze-phish.yaml
@@ -0,0 +1,34 @@
+id: backblaze-phish
+
+info:
+  name: Backblaze phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Backblaze phishing website was detected
+  reference:
+    - https://backblaze.com
+  metadata:
+    max-request: 1
+  tags: phishing,backblaze,backup,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>The Leading Open Cloud Storage Platform - Backblaze'
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"backblaze.com")'
--- a/http/osint/phishing/bandcamp-phish.yaml
+++ b/http/osint/phishing/bandcamp-phish.yaml
@@ -0,0 +1,36 @@
+id: bandcamp-phish
+
+info:
+  name: Bandcamp phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Bandcamp phishing website was detected
+  reference:
+    - https://bandcamp.com
+  metadata:
+    max-request: 1
+  tags: phishing,bandcamp,streaming,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Bandcamp'
+          - 'Discover amazing music and directly support the artists who make it.'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"bandcamp.com")'
--- a/http/osint/phishing/barclays-phish.yaml
+++ b/http/osint/phishing/barclays-phish.yaml
@@ -0,0 +1,38 @@
+id: barclays-phish
+
+info:
+  name: Barclays phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Barclays phishing website was detected
+  reference:
+    - https://barclays.com
+  metadata:
+    max-request: 1
+  tags: phishing,barclays,bank,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Barclays'
+          - '<title>Barclays Group corporate website | Barclays'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"barclays.com")'
+          - '!contains(host,"home.barclays")'
+        condition: and
--- a/http/osint/phishing/bethesda-phish.yaml
+++ b/http/osint/phishing/bethesda-phish.yaml
@@ -0,0 +1,36 @@
+id: bethesda-phish
+
+info:
+  name: Bethesda phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Bethesda phishing website was detected
+  reference:
+    - https://bethesda.net
+  metadata:
+    max-request: 1
+  tags: phishing,bethesda,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'The official site for Bethesda, publisher of Fallout, DOOM, Dishonored, Skyrim, Wolfenstein, The Elder Scrolls, more. Your source for news, features &amp; community'
+          - 'Bethesda'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"bethesda.net")'
--- a/http/osint/phishing/bigcommerce-phish.yaml
+++ b/http/osint/phishing/bigcommerce-phish.yaml
@@ -0,0 +1,34 @@
+id: bigcommerce-phish
+
+info:
+  name: BigCommerce phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A BigCommerce phishing website was detected
+  reference:
+    - https://bigcommerce.com
+  metadata:
+    max-request: 1
+  tags: phishing,bigcommerce,ecommerce,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>Shape Your Future On Your Terms | BigCommerce'
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"bigcommerce.com")'
--- a/http/osint/phishing/binance-phish.yaml
+++ b/http/osint/phishing/binance-phish.yaml
@@ -0,0 +1,36 @@
+id: binance-phish
+
+info:
+  name: Binance phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Binance phishing website was detected
+  reference:
+    - https://binance.com
+  metadata:
+    max-request: 1
+  tags: phishing,binance,crypto,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Binance'
+          - 'Binance: The World’s Most Trusted Cryptocurrency Exchange to Buy, Trade &amp; Invest in Crypto'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"binance.com")'
--- a/http/osint/phishing/bitbucket-phish.yaml
+++ b/http/osint/phishing/bitbucket-phish.yaml
@@ -0,0 +1,37 @@
+id: bitbucket-phish
+
+info:
+  name: Bitbucket phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Bitbucket phishing website was detected
+  reference:
+    - https://bitbucket.org
+  metadata:
+    max-request: 1
+  tags: phishing,bitbucket,atlassian,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Bitbucket'
+          - '<title> Bitbucket | Git solution for teams using Jira'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"bitbucket.org")'
+          - '!contains(host,"atlassian.com")'
--- a/http/osint/phishing/bitfinex-phish.yaml
+++ b/http/osint/phishing/bitfinex-phish.yaml
@@ -0,0 +1,36 @@
+id: bitfinex-phish
+
+info:
+  name: Bitfinex phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Bitfinex phishing website was detected
+  reference:
+    - https://bitfinex.com
+  metadata:
+    max-request: 1
+  tags: phishing,bitfinex,crypto,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Bitfinex'
+          - 'Bitfinex is the longest-running and most liquid major cryptocurrency exchange. Founded in 2012, it has become the go-to platform for traders &amp; institutional investors.'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"bitfinex.com")'
--- a/http/osint/phishing/bjs-phish.yaml
+++ b/http/osint/phishing/bjs-phish.yaml
@@ -0,0 +1,36 @@
+id: bjs-phish
+
+info:
+  name: BJ's Wholesale Club phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A BJ's Wholesale Club phishing website was detected
+  reference:
+    - https://bjs.com
+  metadata:
+    max-request: 1
+  tags: phishing,bjs,ecommerce,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "BJ's Wholesale Club"
+          - "BJ's Wholesale Club is a leading operator of membership warehouse clubs."
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"bjs.com")'
--- a/http/osint/phishing/blizzard-phish.yaml
+++ b/http/osint/phishing/blizzard-phish.yaml
@@ -0,0 +1,36 @@
+id: blizzard-phish
+
+info:
+  name: Blizzard phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Blizzard phishing website was detected
+  reference:
+    - https://blizzard.com
+  metadata:
+    max-request: 1
+  tags: phishing,blizzard,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Creators of the Warcraft, Diablo, StarCraft, and Overwatch series, Blizzard Entertainment is an industry-leading developer responsible for the most epic entertainment experiences, ever.'
+          - 'Blizzard'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"blizzard.com")'
--- a/http/osint/phishing/bmo-phish.yaml
+++ b/http/osint/phishing/bmo-phish.yaml
@@ -0,0 +1,36 @@
+id: bmo-phish
+
+info:
+  name: BMO phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A BMO phishing website was detected
+  reference:
+    - https://bmo.com
+  metadata:
+    max-request: 1
+  tags: phishing,bmo,bank,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'BMO'
+          - "We're here to help! BMO offers a wide range of personal and business banking services, including bank accounts, mortgages, credit cards, loans and more."
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"bmo.com")'
--- a/http/osint/phishing/bnp-paribas-phish.yaml
+++ b/http/osint/phishing/bnp-paribas-phish.yaml
@@ -0,0 +1,38 @@
+id: bnp-paribas-phish
+
+info:
+  name: BNP Paribas phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A BNP Paribas phishing website was detected
+  reference:
+    - https://bnpparibas.com
+  metadata:
+    max-request: 1
+  tags: phishing,bnp-paribas,bank,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'BNP Paribas'
+          - '<title>Banque BNP Paribas | La banque d&#039;un monde qui change'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"bnpparibas.com")'
+          - '!contains(host,"group.bnpparibas")'
+        condition: and
--- a/http/osint/phishing/booking-com-phish.yaml
+++ b/http/osint/phishing/booking-com-phish.yaml
@@ -0,0 +1,36 @@
+id: booking-com-phish
+
+info:
+  name: Booking.com phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Booking.com phishing website was detected
+  reference:
+    - https://booking.com
+  metadata:
+    max-request: 1
+  tags: phishing,booking,travel,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Booking.com'
+          - 'Booking.com | Official site | The best hotels, flights, car rentals &amp; accommodations'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"booking.com")'
--- a/http/osint/phishing/brevo-phish.yaml
+++ b/http/osint/phishing/brevo-phish.yaml
@@ -0,0 +1,35 @@
+id: brevo-phish
+
+info:
+  name: Brevo phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Brevo phishing website was detected
+  reference:
+    - https://brevo.com
+  metadata:
+    max-request: 1
+  tags: phishing,brevo,sendinblue,email,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>Brevo | All-in-one Marketing &amp; Sales Platform'
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"brevo.com")'
+          - '!contains(host,"sendinblue.com")'
--- a/http/osint/phishing/buymeacoffee-phish.yaml
+++ b/http/osint/phishing/buymeacoffee-phish.yaml
@@ -0,0 +1,36 @@
+id: buymeacoffee-phish
+
+info:
+  name: Buy Me a Coffee phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Buy Me a Coffee phishing website was detected
+  reference:
+    - https://buymeacoffee.com
+  metadata:
+    max-request: 1
+  tags: phishing,buymeacoffee,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Buy Me a Coffee is the best way for creators and artists to accept support and membership from their fans.'
+          - '<title>Buy Me a Coffee'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"buymeacoffee.com")'
--- a/http/osint/phishing/cafepress-phish.yaml
+++ b/http/osint/phishing/cafepress-phish.yaml
@@ -0,0 +1,36 @@
+id: cafepress-phish
+
+info:
+  name: CafePress phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A CafePress phishing website was detected
+  reference:
+    - https://cafepress.com
+  metadata:
+    max-request: 1
+  tags: phishing,cafepress,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'CafePress'
+          - '<title> CafePress | Best merchandise to express yourself'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"cafepress.com")'
--- a/http/osint/phishing/calendly-phish.yaml
+++ b/http/osint/phishing/calendly-phish.yaml
@@ -0,0 +1,34 @@
+id: calendly-phish
+
+info:
+  name: Calendly phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Calendly phishing website was detected
+  reference:
+    - https://calendly.com
+  metadata:
+    max-request: 1
+  tags: phishing,calendly,scheduling,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Calendly is the modern scheduling platform that makes “finding time” a breeze. When connecting is easy, your teams can get more done.'
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"calendly.com")'
--- a/http/osint/phishing/canva-phish.yaml
+++ b/http/osint/phishing/canva-phish.yaml
@@ -0,0 +1,34 @@
+id: canva-phish
+
+info:
+  name: Canva phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Canva phishing website was detected
+  reference:
+    - https://canva.com
+  metadata:
+    max-request: 1
+  tags: phishing,canva,design,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>Canva: Visual Suite for Everyone'
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"canva.com")'
--- a/http/osint/phishing/capital-one-phish.yaml
+++ b/http/osint/phishing/capital-one-phish.yaml
@@ -0,0 +1,36 @@
+id: capital-one-phish
+
+info:
+  name: Capital One phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Capital One phishing website was detected
+  reference:
+    - https://capitalone.com
+  metadata:
+    max-request: 1
+  tags: phishing,capital-one,bank,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Capital One'
+          - '<title>Capital One | Credit Cards, Checking, Savings &amp; Auto Loans'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"capitalone.com")'
--- a/http/osint/phishing/caviar-phish.yaml
+++ b/http/osint/phishing/caviar-phish.yaml
@@ -0,0 +1,36 @@
+id: caviar-phish
+
+info:
+  name: Caviar phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Caviar phishing website was detected
+  reference:
+    - https://trycaviar.com
+  metadata:
+    max-request: 1
+  tags: phishing,caviar,food-delivery,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Caviar'
+          - 'et food, grocery, and retail essentials delivered fast. Shop same-day delivery from local stores and restaurants near you.'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"trycaviar.com")'
--- a/http/osint/phishing/chatgpt-phish.yaml
+++ b/http/osint/phishing/chatgpt-phish.yaml
@@ -0,0 +1,37 @@
+id: chatgpt-phish
+
+info:
+  name: ChatGPT phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A ChatGPT phishing website was detected
+  reference:
+    - https://chatgpt.com
+  metadata:
+    max-request: 1
+  tags: phishing,chatgpt,openai,ai,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>ChatGPT'
+          - 'ChatGPT helps you get answers, find inspiration, and be more productive.'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"chatgpt.com")'
+          - '!contains(host,"openai.com")'
--- a/http/osint/phishing/chime-phish.yaml
+++ b/http/osint/phishing/chime-phish.yaml
@@ -0,0 +1,36 @@
+id: chime-phish
+
+info:
+  name: Chime phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Chime phishing website was detected
+  reference:
+    - https://chime.com
+  metadata:
+    max-request: 1
+  tags: phishing,chime,fintech,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Chime'
+          - 'No monthly fees. 60k+ ATMs. Build credit. Get fee-free overdraft up to $200.'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"chime.com")'
--- a/http/osint/phishing/cibc-phish.yaml
+++ b/http/osint/phishing/cibc-phish.yaml
@@ -0,0 +1,36 @@
+id: cibc-phish
+
+info:
+  name: CIBC phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A CIBC phishing website was detected
+  reference:
+    - https://cibc.com
+  metadata:
+    max-request: 1
+  tags: phishing,cibc,bank,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'CIBC'
+          - 'CIBC U.S. provides tailored commercial and personal banking services, private wealth management and small business financial solutions from coast to coast. We invest in businesses, people and communities, striving to build trusting and enduring relationships by putting our clients at the center of all we do.'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"cibc.com")'
--- a/http/osint/phishing/citibank-phish.yaml
+++ b/http/osint/phishing/citibank-phish.yaml
@@ -0,0 +1,37 @@
+id: citibank-phish
+
+info:
+  name: Citibank phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Citibank phishing website was detected
+  reference:
+    - https://citi.com
+  metadata:
+    max-request: 1
+  tags: phishing,citibank,citi,bank,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Citi'
+          - 'Citibank is the consumer division of financial services multinational Citigroup. Citibank was founded in 1812 as the City Bank of New York, and later became First National City Bank of New York. Citibank provides credit cards, mortgages, personal loans, commercial loans, and lines of credit.'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"citi.com")'
+          - '!contains(host,"citibank.com")'
--- a/http/osint/phishing/cj-pony-parts-phish.yaml
+++ b/http/osint/phishing/cj-pony-parts-phish.yaml
@@ -0,0 +1,34 @@
+id: cj-pony-parts-phish
+
+info:
+  name: CJ Pony Parts phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A CJ Pony Parts phishing website was detected
+  reference:
+    - https://cjponyparts.com
+  metadata:
+    max-request: 1
+  tags: phishing,cj-pony-parts,ecommerce,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Empowering enthusiasts to build their dream vehicles with top aftermarket parts for Ford Mustangs, Broncos, Focus STs, F-100s, and Chevy C10s. Shop now!'
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"cjponyparts.com")'
--- a/http/osint/phishing/clickup-phish.yaml
+++ b/http/osint/phishing/clickup-phish.yaml
@@ -0,0 +1,34 @@
+id: clickup-phish
+
+info:
+  name: ClickUp phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A ClickUp phishing website was detected
+  reference:
+    - https://clickup.com
+  metadata:
+    max-request: 1
+  tags: phishing,clickup,productivity,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'ClickUp™ | Maximize productivity • Software, AI, and humans converge'
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"clickup.com")'
--- a/http/osint/phishing/cloudflare-phish.yaml
+++ b/http/osint/phishing/cloudflare-phish.yaml
@@ -0,0 +1,36 @@
+id: cloudflare-phish
+
+info:
+  name: Cloudflare phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Cloudflare phishing website was detected
+  reference:
+    - https://cloudflare.com
+  metadata:
+    max-request: 1
+  tags: phishing,cloudflare,cdn,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Cloudflare'
+          - 'Make employees, applications and networks faster and more secure everywhere, while reducing complexity and cost.'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"cloudflare.com")'
--- a/http/osint/phishing/codesandbox-phish.yaml
+++ b/http/osint/phishing/codesandbox-phish.yaml
@@ -0,0 +1,34 @@
+id: codesandbox-phish
+
+info:
+  name: CodeSandbox phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A CodeSandbox phishing website was detected
+  reference:
+    - https://codesandbox.io
+  metadata:
+    max-request: 1
+  tags: phishing,codesandbox,developer,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>CodeSandbox: Instant Cloud Development Environments'
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"codesandbox.io")'
--- a/http/osint/phishing/coinbase-phish.yaml
+++ b/http/osint/phishing/coinbase-phish.yaml
@@ -0,0 +1,36 @@
+id: coinbase-phish
+
+info:
+  name: Coinbase phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Coinbase phishing website was detected
+  reference:
+    - https://coinbase.com
+  metadata:
+    max-request: 1
+  tags: phishing,coinbase,crypto,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Coinbase'
+          - 'Coinbase - Buy and Sell Bitcoin, Ethereum, and more with trust'
+        condition: or
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"coinbase.com")'
--- a/http/osint/phishing/comerica-phish.yaml
+++ b/http/osint/phishing/comerica-phish.yaml
@@ -0,0 +1,36 @@
+id: comerica-phish
+
+info:
+  name: Comerica Bank phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Comerica Bank phishing website was detected
+  reference:
+    - https://comerica.com
+  metadata:
+    max-request: 1
+  tags: phishing,comerica,bank,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Comerica'
+          - 'Your partner for personal finance, business banking, and wealth management with a legacy of excellence and industry recognition.'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"comerica.com")'
--- a/http/osint/phishing/commonwealth-bank-phish.yaml
+++ b/http/osint/phishing/commonwealth-bank-phish.yaml
@@ -0,0 +1,36 @@
+id: commonwealth-bank-phish
+
+info:
+  name: Commonwealth Bank phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Commonwealth Bank phishing website was detected
+  reference:
+    - https://commbank.com.au
+  metadata:
+    max-request: 1
+  tags: phishing,commonwealth-bank,bank,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Commonwealth Bank'
+          - 'CommBank offers personal banking, business solutions, institutional banking, company information, and more'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"commbank.com.au")'
--- a/http/osint/phishing/costco-phish.yaml
+++ b/http/osint/phishing/costco-phish.yaml
@@ -0,0 +1,36 @@
+id: costco-phish
+
+info:
+  name: Costco phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Costco phishing website was detected
+  reference:
+    - https://costco.com
+  metadata:
+    max-request: 1
+  tags: phishing,costco,ecommerce,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Costco'
+          - 'Shop Costco.com for electronics, computers, furniture, outdoor living, appliances, jewelry and more. Enjoy low warehouse prices on name-brands products delivered to your door'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"costco.com")'
--- a/http/osint/phishing/credit-agricole-phish.yaml
+++ b/http/osint/phishing/credit-agricole-phish.yaml
@@ -0,0 +1,36 @@
+id: credit-agricole-phish
+
+info:
+  name: Crédit Agricole phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Crédit Agricole phishing website was detected
+  reference:
+    - https://credit-agricole.com
+  metadata:
+    max-request: 1
+  tags: phishing,credit-agricole,bank,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Crédit Agricole'
+          - 'Crédit Agricole 1re banque de l&#039;habitat, de l&#039;agriculture, des entreprises, des pros, des collectivites territoriales'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"credit-agricole.com")'
--- a/http/osint/phishing/crunchyroll-phish.yaml
+++ b/http/osint/phishing/crunchyroll-phish.yaml
@@ -0,0 +1,36 @@
+id: crunchyroll-phish
+
+info:
+  name: Crunchyroll phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Crunchyroll phishing website was detected
+  reference:
+    - https://crunchyroll.com
+  metadata:
+    max-request: 1
+  tags: phishing,crunchyroll,streaming,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'crunchyroll.com'
+          - 'Crunchyroll'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"crunchyroll.com")'
--- a/http/osint/phishing/csgo-phish.yaml
+++ b/http/osint/phishing/csgo-phish.yaml
@@ -0,0 +1,37 @@
+id: csgo-phish
+
+info:
+  name: CS:GO phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A CS:GO phishing website was detected
+  reference:
+    - https://counter-strike.net
+  metadata:
+    max-request: 1
+  tags: phishing,csgo,steam,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'VALVE_PUBLIC_PATH = "https:\/\/www.counter-strike.net\/\/public\/"'
+          - 'https://www.counter-strike.net/public/'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"counter-strike.net")'
+          - '!contains(host,"steampowered.com")'
--- a/http/osint/phishing/current-phish.yaml
+++ b/http/osint/phishing/current-phish.yaml
@@ -0,0 +1,36 @@
+id: current-phish
+
+info:
+  name: Current phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Current phishing website was detected
+  reference:
+    - https://current.com
+  metadata:
+    max-request: 1
+  tags: phishing,current,fintech,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Current'
+          - 'Mobile banking done better. Build credit while you bank. No overdraft fees/hidden fees. Current is a fintech not a bank. Banking services provided by Choice Financial Group, Member FDIC, and Cross River Bank, Member FDIC.'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"current.com")'
--- a/http/osint/phishing/customink-phish.yaml
+++ b/http/osint/phishing/customink-phish.yaml
@@ -0,0 +1,36 @@
+id: customink-phish
+
+info:
+  name: CustomInk phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A CustomInk phishing website was detected
+  reference:
+    - https://customink.com
+  metadata:
+    max-request: 1
+  tags: phishing,customink,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'CustomInk'
+          - '<title>Custom T-shirts - Design T-shirts, Apparel & Promo Products Online'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"customink.com")'
--- a/http/osint/phishing/cvs-phish.yaml
+++ b/http/osint/phishing/cvs-phish.yaml
@@ -0,0 +1,36 @@
+id: cvs-phish
+
+info:
+  name: CVS phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A CVS phishing website was detected
+  reference:
+    - https://cvs.com
+  metadata:
+    max-request: 1
+  tags: phishing,cvs,ecommerce,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'CVS'
+          - 'Refill and transfer prescriptions online or find a CVS Pharmacy near you. Shop online, see ExtraCare deals, find MinuteClinic locations and more.'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"cvs.com")'
--- a/http/osint/phishing/cyberghost-phish.yaml
+++ b/http/osint/phishing/cyberghost-phish.yaml
@@ -0,0 +1,34 @@
+id: cyberghost-phish
+
+info:
+  name: CyberGhost phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A CyberGhost phishing website was detected
+  reference:
+    - https://cyberghostvpn.com
+  metadata:
+    max-request: 1
+  tags: phishing,cyberghost,vpn,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>Fast, Secure, &amp; Private VPN Service | CyberGhost VPN'
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"cyberghostvpn.com")'
--- a/http/osint/phishing/dbs-phish.yaml
+++ b/http/osint/phishing/dbs-phish.yaml
@@ -0,0 +1,36 @@
+id: dbs-phish
+
+info:
+  name: DBS Bank phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A DBS Bank phishing website was detected
+  reference:
+    - https://dbs.com
+  metadata:
+    max-request: 1
+  tags: phishing,dbs,bank,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'DBS Bank'
+          - "<title>DBS: Trusted as the World’s Best Bank | DBS Bank"
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"dbs.com")'
--- a/http/osint/phishing/depop-phish.yaml
+++ b/http/osint/phishing/depop-phish.yaml
@@ -0,0 +1,36 @@
+id: depop-phish
+
+info:
+  name: Depop phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Depop phishing website was detected
+  reference:
+    - https://depop.com
+  metadata:
+    max-request: 1
+  tags: phishing,depop,ecommerce,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Depop'
+          - 'Designer. Preloved. Vintage. Streetwear. Sneakers. Whatever your style. Find it on Depop.'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"depop.com")'
--- a/http/osint/phishing/deutsche-bank-phish.yaml
+++ b/http/osint/phishing/deutsche-bank-phish.yaml
@@ -0,0 +1,36 @@
+id: deutsche-bank-phish
+
+info:
+  name: Deutsche Bank phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Deutsche Bank phishing website was detected
+  reference:
+    - https://db.com
+  metadata:
+    max-request: 1
+  tags: phishing,deutsche-bank,bank,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Deutsche Bank'
+          - "Discover Deutsche Bank, one of the world’s leading financial services providers. News and Information about the bank and its products"
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"db.com")'
--- a/http/osint/phishing/dhl-phish.yaml
+++ b/http/osint/phishing/dhl-phish.yaml
@@ -0,0 +1,36 @@
+id: dhl-phish
+
+info:
+  name: DHL phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A DHL phishing website was detected
+  reference:
+    - https://dhl.com
+  metadata:
+    max-request: 1
+  tags: phishing,dhl,shipping,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'DHL'
+          - 'DHL is the global leader in the logistics industry. Specializing in international shipping, courier services and transportation.'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"dhl.com")'
--- a/http/osint/phishing/discover-phish.yaml
+++ b/http/osint/phishing/discover-phish.yaml
@@ -0,0 +1,36 @@
+id: discover-phish
+
+info:
+  name: Discover phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Discover phishing website was detected
+  reference:
+    - https://discover.com
+  metadata:
+    max-request: 1
+  tags: phishing,discover,credit-card,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Discover'
+          - '<title>Discover - Personal Banking, Credit Cards &amp; Loans'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"discover.com")'
--- a/http/osint/phishing/docusign-phish.yaml
+++ b/http/osint/phishing/docusign-phish.yaml
@@ -0,0 +1,34 @@
+id: docusign-phish
+
+info:
+  name: DocuSign phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A DocuSign phishing website was detected
+  reference:
+    - https://docusign.com
+  metadata:
+    max-request: 1
+  tags: phishing,docusign,esignature,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'title>Docusign | #1 in Electronic Signature and Intelligent Agreement Management'
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"docusign.com")'
--- a/http/osint/phishing/doordash-phish.yaml
+++ b/http/osint/phishing/doordash-phish.yaml
@@ -0,0 +1,36 @@
+id: doordash-phish
+
+info:
+  name: DoorDash phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A DoorDash phishing website was detected
+  reference:
+    - https://doordash.com
+  metadata:
+    max-request: 1
+  tags: phishing,doordash,food-delivery,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'DoorDash'
+          - 'Get food, grocery, and retail essentials delivered fast. Shop same-day delivery from local stores and restaurants near you.'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"doordash.com")'
--- a/http/osint/phishing/dota2-phish.yaml
+++ b/http/osint/phishing/dota2-phish.yaml
@@ -0,0 +1,35 @@
+id: dota2-phish
+
+info:
+  name: Dota 2 phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Dota 2 phishing website was detected
+  reference:
+    - https://dota2.com
+  metadata:
+    max-request: 1
+  tags: phishing,dota2,steam,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "Every day, millions of players worldwide enter battle as one of over a hundred Dota heroes. And no matter if it's their 10th hour of play or 1,000th, there's always something new to discover. With regular updates that ensure a constant evolution of gameplay, features, and heroes, Dota 2 has taken on a life of its own."
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"dota2.com")'
+          - '!contains(host,"steampowered.com")'
--- a/http/osint/phishing/dribbble-phish.yaml
+++ b/http/osint/phishing/dribbble-phish.yaml
@@ -0,0 +1,34 @@
+id: dribbble-phish
+
+info:
+  name: Dribbble phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Dribbble phishing website was detected
+  reference:
+    - https://dribbble.com
+  metadata:
+    max-request: 1
+  tags: phishing,dribbble,design,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "<title>Dribbble - Discover the World's Top Designers &amp; Creative Professionals"
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"dribbble.com")'
--- a/http/osint/phishing/ea-phish.yaml
+++ b/http/osint/phishing/ea-phish.yaml
@@ -0,0 +1,34 @@
+id: ea-phish
+
+info:
+  name: EA phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    An EA phishing website was detected
+  reference:
+    - https://ea.com
+  metadata:
+    max-request: 1
+  tags: phishing,ea,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "We exist to inspire the world through Play. Electronic Arts is a leading publisher of games on Console, PC and Mobile."
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"ea.com")'
--- a/http/osint/phishing/edelbrock-phish.yaml
+++ b/http/osint/phishing/edelbrock-phish.yaml
@@ -0,0 +1,36 @@
+id: edelbrock-phish
+
+info:
+  name: Edelbrock phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    An Edelbrock phishing website was detected
+  reference:
+    - https://edelbrock.com
+  metadata:
+    max-request: 1
+  tags: phishing,edelbrock,ecommerce,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Edelbrock'
+          - 'Edelbrock is the most respected name in performance! Since 1938, Edelbrock has manufactured its core products in the USA for quality and performance.'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"edelbrock.com")'
--- a/http/osint/phishing/epic-games-phish.yaml
+++ b/http/osint/phishing/epic-games-phish.yaml
@@ -0,0 +1,36 @@
+id: epic-games-phish
+
+info:
+  name: Epic Games phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    An Epic Games phishing website was detected
+  reference:
+    - https://epicgames.com
+  metadata:
+    max-request: 1
+  tags: phishing,epic-games,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'The Epic Games Store is now open.'
+          - 'Epic Games'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"epicgames.com")'
--- a/http/osint/phishing/etsy-phish.yaml
+++ b/http/osint/phishing/etsy-phish.yaml
@@ -0,0 +1,36 @@
+id: etsy-phish
+
+info:
+  name: Etsy phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    An Etsy phishing website was detected
+  reference:
+    - https://etsy.com
+  metadata:
+    max-request: 1
+  tags: phishing,etsy,ecommerce,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "etsy.com"
+          - 'Shop for handmade, vintage, custom, and unique gifts'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"etsy.com")'
--- a/http/osint/phishing/expedia-phish.yaml
+++ b/http/osint/phishing/expedia-phish.yaml
@@ -0,0 +1,36 @@
+id: expedia-phish
+
+info:
+  name: Expedia phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    An Expedia phishing website was detected
+  reference:
+    - https://expedia.com
+  metadata:
+    max-request: 1
+  tags: phishing,expedia,travel,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Expedia'
+          - '<title>Expedia Travel: Vacation Homes, Hotels, Car Rentals, Flights &amp; More'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"expedia.com")'
--- a/http/osint/phishing/expressvpn-phish.yaml
+++ b/http/osint/phishing/expressvpn-phish.yaml
@@ -0,0 +1,34 @@
+id: expressvpn-phish
+
+info:
+  name: ExpressVPN phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A ExpressVPN phishing website was detected
+  reference:
+    - https://expressvpn.com
+  metadata:
+    max-request: 1
+  tags: phishing,expressvpn,vpn,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>ExpressVPN: Best VPN Service for Speed & Privacy in 2025'
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"expressvpn.com")'
--- a/http/osint/phishing/fanatical-phish.yaml
+++ b/http/osint/phishing/fanatical-phish.yaml
@@ -0,0 +1,36 @@
+id: fanatical-phish
+
+info:
+  name: Fanatical phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Fanatical phishing website was detected
+  reference:
+    - https://fanatical.com
+  metadata:
+    max-request: 1
+  tags: phishing,fanatical,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Fanatical'
+          - '<title>Fanatical'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"fanatical.com")'
--- a/http/osint/phishing/fastmail-phish.yaml
+++ b/http/osint/phishing/fastmail-phish.yaml
@@ -0,0 +1,34 @@
+id: fastmail-phish
+
+info:
+  name: Fastmail phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Fastmail phishing website was detected
+  reference:
+    - https://fastmail.com
+  metadata:
+    max-request: 1
+  tags: phishing,fastmail,email,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>Email and calendar made better | Fastmail'
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"fastmail.com")'
--- a/http/osint/phishing/fedex-phish.yaml
+++ b/http/osint/phishing/fedex-phish.yaml
@@ -0,0 +1,36 @@
+id: fedex-phish
+
+info:
+  name: FedEx phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A FedEx phishing website was detected
+  reference:
+    - https://fedex.com
+  metadata:
+    max-request: 1
+  tags: phishing,fedex,shipping,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'FedEx'
+          - '<title>Track &amp; Ship Online or Find Nearby Locations | FedEx'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"fedex.com")'
--- a/http/osint/phishing/fifth-third-bank-phish.yaml
+++ b/http/osint/phishing/fifth-third-bank-phish.yaml
@@ -0,0 +1,34 @@
+id: fifth-third-bank-phish
+
+info:
+  name: Fifth Third Bank phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Fifth Third Bank phishing website was detected
+  reference:
+    - https://53.com
+  metadata:
+    max-request: 1
+  tags: phishing,fifth-third-bank,bank,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>Personal Banking | Fifth Third Bank'
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"53.com")'
--- a/http/osint/phishing/footlocker-phish.yaml
+++ b/http/osint/phishing/footlocker-phish.yaml
@@ -0,0 +1,36 @@
+id: footlocker-phish
+
+info:
+  name: Foot Locker phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Foot Locker phishing website was detected
+  reference:
+    - https://footlocker.com
+  metadata:
+    max-request: 1
+  tags: phishing,footlocker,ecommerce,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Foot Locker'
+          - 'Sneakers, Apparel &amp; More | Foot Locker'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"footlocker.com")'
--- a/http/osint/phishing/fortnite-phish.yaml
+++ b/http/osint/phishing/fortnite-phish.yaml
@@ -0,0 +1,37 @@
+id: fortnite-phish
+
+info:
+  name: Fortnite phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Fortnite phishing website was detected
+  reference:
+    - https://fortnite.com
+  metadata:
+    max-request: 1
+  tags: phishing,fortnite,epic-games,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Fortnite'
+          - '<title>Fortnite | Free-to-Play Cross-Platform Game - Fortnite'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"fortnite.com")'
+          - '!contains(host,"epicgames.com")'
--- a/http/osint/phishing/framer-phish.yaml
+++ b/http/osint/phishing/framer-phish.yaml
@@ -0,0 +1,34 @@
+id: framer-phish
+
+info:
+  name: Framer phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Framer phishing website was detected
+  reference:
+    - https://framer.com
+  metadata:
+    max-request: 1
+  tags: phishing,framer,design,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>Framer: Create a professional website, free. No code website builder loved by designers.'
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"framer.com")'
--- a/http/osint/phishing/freshworks-phish.yaml
+++ b/http/osint/phishing/freshworks-phish.yaml
@@ -0,0 +1,34 @@
+id: freshworks-phish
+
+info:
+  name: Freshworks phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Freshworks phishing website was detected
+  reference:
+    - https://freshworks.com
+  metadata:
+    max-request: 1
+  tags: phishing,freshworks,business,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'title>Freshworks: Uncomplicated Software | IT Service, Customer Service'
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"freshworks.com")'
--- a/http/osint/phishing/fubo-phish.yaml
+++ b/http/osint/phishing/fubo-phish.yaml
@@ -0,0 +1,34 @@
+id: fubo-phish
+
+info:
+  name: FuboTV phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A FuboTV phishing website was detected
+  reference:
+    - https://fubo.tv
+  metadata:
+    max-request: 1
+  tags: phishing,fubo,streaming,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "Watch ABC, CBS, FOX, ESPN and other top channels live - without cable TV. On your phone, TV and more. No contract. DVR included."
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"fubo.tv")'
--- a/http/osint/phishing/fullstory-phish.yaml
+++ b/http/osint/phishing/fullstory-phish.yaml
@@ -0,0 +1,34 @@
+id: fullstory-phish
+
+info:
+  name: FullStory phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A FullStory phishing website was detected
+  reference:
+    - https://fullstory.com
+  metadata:
+    max-request: 1
+  tags: phishing,fullstory,analytics,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>FullStory | Digital Experience Intelligence Platform'
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"fullstory.com")'
--- a/http/osint/phishing/g2a-phish.yaml
+++ b/http/osint/phishing/g2a-phish.yaml
@@ -0,0 +1,36 @@
+id: g2a-phish
+
+info:
+  name: G2A phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A G2A phishing website was detected
+  reference:
+    - https://g2a.com
+  metadata:
+    max-request: 1
+  tags: phishing,g2a,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'G2A'
+          - 'G2A.COM - Open the Gate 2 Adventure in the Digital World'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"g2a.com")'
--- a/http/osint/phishing/gamestop-phish.yaml
+++ b/http/osint/phishing/gamestop-phish.yaml
@@ -0,0 +1,36 @@
+id: gamestop-phish
+
+info:
+  name: GameStop phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A GameStop phishing website was detected
+  reference:
+    - https://gamestop.com
+  metadata:
+    max-request: 1
+  tags: phishing,gamestop,ecommerce,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'GameStop'
+          - 'Consoles, Collectibles, Video Games, and More &ndash; Buy, Sell or Trade | GameStop'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"gamestop.com")'
--- a/http/osint/phishing/gcp-phish.yaml
+++ b/http/osint/phishing/gcp-phish.yaml
@@ -0,0 +1,35 @@
+id: gcp-phish
+
+info:
+  name: Google Cloud Platform phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Google Cloud Platform phishing website was detected
+  reference:
+    - https://cloud.google.com
+  metadata:
+    max-request: 1
+  tags: phishing,gcp,google-cloud,cloud,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "Meet your business challenges head on with cloud computing services from Google, including data management, hybrid & multi-cloud, and AI & ML."
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"cloud.google.com")'
+          - '!contains(host,"google.com")'
--- a/http/osint/phishing/gemini-phish.yaml
+++ b/http/osint/phishing/gemini-phish.yaml
@@ -0,0 +1,36 @@
+id: gemini-phish
+
+info:
+  name: Gemini phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Gemini phishing website was detected
+  reference:
+    - https://gemini.com
+  metadata:
+    max-request: 1
+  tags: phishing,gemini,crypto,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Gemini'
+          - '<title>Buy, Sell &amp; Trade Bitcoin, Solana, &amp; Other Cryptos with Gemini&#x27;s Best-in-class Platform | Gemini'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"gemini.com")'
--- a/http/osint/phishing/gitlab-phish.yaml
+++ b/http/osint/phishing/gitlab-phish.yaml
@@ -0,0 +1,34 @@
+id: gitlab-phish
+
+info:
+  name: GitLab phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A GitLab phishing website was detected
+  reference:
+    - https://gitlab.com
+  metadata:
+    max-request: 1
+  tags: phishing,gitlab,developer,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>The most-comprehensive AI-powered DevSecOps platform'
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"gitlab.com")'
--- a/http/osint/phishing/gitpod-phish.yaml
+++ b/http/osint/phishing/gitpod-phish.yaml
@@ -0,0 +1,34 @@
+id: gitpod-phish
+
+info:
+  name: Gitpod phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Gitpod phishing website was detected
+  reference:
+    - https://gitpod.io
+  metadata:
+    max-request: 1
+  tags: phishing,gitpod,developer,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>Gitpod - Always Ready to Code'
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"gitpod.io")'
--- a/http/osint/phishing/goat-phish.yaml
+++ b/http/osint/phishing/goat-phish.yaml
@@ -0,0 +1,36 @@
+id: goat-phish
+
+info:
+  name: GOAT phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A GOAT phishing website was detected
+  reference:
+    - https://goat.com
+  metadata:
+    max-request: 1
+  tags: phishing,goat,ecommerce,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'GOAT'
+          - '<title>GOAT: Sneakers, Apparel, Accessories'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"goat.com")'
--- a/http/osint/phishing/godaddy-phish.yaml
+++ b/http/osint/phishing/godaddy-phish.yaml
@@ -0,0 +1,34 @@
+id: godaddy-phish
+
+info:
+  name: GoDaddy phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A GoDaddy phishing website was detected
+  reference:
+    - https://godaddy.com
+  metadata:
+    max-request: 1
+  tags: phishing,godaddy,domain,hosting,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>Domain Names, Websites, Hosting &amp; Online Marketing Tools - GoDaddy'
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"godaddy.com")'
--- a/http/osint/phishing/gog-phish.yaml
+++ b/http/osint/phishing/gog-phish.yaml
@@ -0,0 +1,36 @@
+id: gog-phish
+
+info:
+  name: GOG phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A GOG phishing website was detected
+  reference:
+    - https://gog.com
+  metadata:
+    max-request: 1
+  tags: phishing,gog,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>Welcome to GOG.com | best PC games DRM-free'
+          - 'GOG'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"gog.com")'
--- a/http/osint/phishing/grailed-phish.yaml
+++ b/http/osint/phishing/grailed-phish.yaml
@@ -0,0 +1,36 @@
+id: grailed-phish
+
+info:
+  name: Grailed phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Grailed phishing website was detected
+  reference:
+    - https://grailed.com
+  metadata:
+    max-request: 1
+  tags: phishing,grailed,ecommerce,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - 'Grailed'
+          - '<title>Grailed: Online Marketplace to Buy Fashion'
+        condition: and
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"grailed.com")'
--- a/http/osint/phishing/grammarly-phish.yaml
+++ b/http/osint/phishing/grammarly-phish.yaml
@@ -0,0 +1,34 @@
+id: grammarly-phish
+
+info:
+  name: Grammarly phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Grammarly phishing website was detected
+  reference:
+    - https://grammarly.com
+  metadata:
+    max-request: 1
+  tags: phishing,grammarly,writing,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - '<title>Grammarly: Free AI Writing Assistant'
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"grammarly.com")'
--- a/http/osint/phishing/green-man-gaming-phish.yaml
+++ b/http/osint/phishing/green-man-gaming-phish.yaml
@@ -0,0 +1,34 @@
+id: green-man-gaming-phish
+
+info:
+  name: Green Man Gaming phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Green Man Gaming phishing website was detected
+  reference:
+    - https://greenmangaming.com
+  metadata:
+    max-request: 1
+  tags: phishing,green-man-gaming,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "Buy games & game keys with Green Man Gaming - get the best prices, awesome bundles & exclusive game deals daily! Visit to explore Green Man Gaming now!"
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"greenmangaming.com")'
--- a/http/osint/phishing/grubhub-phish.yaml
+++ b/http/osint/phishing/grubhub-phish.yaml
@@ -0,0 +1,34 @@
+id: grubhub-phish
+
+info:
+  name: Grubhub phishing Detection
+  author: rxerium
+  severity: info
+  description: |
+    A Grubhub phishing website was detected
+  reference:
+    - https://grubhub.com
+  metadata:
+    max-request: 1
+  tags: phishing,grubhub,food-delivery,osint,discovery
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}"
+
+    host-redirects: true
+    max-redirects: 2
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        words:
+          - "Prepare your taste buds..."
+
+      - type: status
+        status:
+          - 200
+
+      - type: dsl
+        dsl:
+          - '!contains(host,"grubhub.com")'
--- a/Show More
+++ b/Show More