From d47473f55375db0de222fc1d2f31be7a8dbacb90 Mon Sep 17 00:00:00 2001
From: twesterhever <40121680+twesterhever@users.noreply.github.com>
Date: Wed, 2 Aug 2023 13:32:13 +0000
Subject: [PATCH] [Minor] Tweak HAS_GOOGLE_REDIR to detect Google AMP URLs as
 well

Rationale: https://cofense.com/blog/google-amp-the-newest-of-evasive-phishing-tactic/
---
 rules/regexp/headers.lua | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/regexp/headers.lua b/rules/regexp/headers.lua
index b6b5e10d4..42c08ca3f 100644
--- a/rules/regexp/headers.lua
+++ b/rules/regexp/headers.lua
@@ -912,7 +912,7 @@ reconf['HAS_GUC_PROXY_URI'] = {
 }
 
 reconf['HAS_GOOGLE_REDIR'] = {
-  re = '/\\.google\\.([a-z]{2,3}(|\\.[a-z]{2,3})|info|jobs)\\/url\\?/{url}i',
+  re = '/\\.google\\.([a-z]{2,3}(|\\.[a-z]{2,3})|info|jobs)\\/(amp\\/s\\/|url\\?)/{url}i',
   description = 'Has google.com/url or alike Google redirection URL',
   score = 1.0,
   group = 'url'
-- 
2.39.5