A bit of a weird  set of emails has been received this afternoon. The subject is  Please activate your Personal Security Key coming from American Express <[email protected]>

Additional sending addresses so far found include  Amex-mails.com  |  amexmails.com  | amex-emails.com  | amexmails.com were all  registered today by surprise, surprise Godaddy,com They currently do not have an IP number associated with them. When they were received, the emails came from  San Antonio Texas US AS27357 Rackspace Hosting
Received: from [] (port=58359 helo=amex-mails.com)
	by knight.knighthosting.co.uk with esmtp (Exim 4.87)
	(envelope-from <[email protected]>)
	id 1c7NqA-0002bP-Uh
	for [email protected]; Thu, 17 Nov 2016 14:39:03 +0000
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=key; d=amex-mails.com;
Received: by amex-mails.com id h5n0ggbdd9op for <[email protected]>; Thu, 17 Nov 2016 09:35:53 -0500 (envelope-from <[email protected]>)
Mime-Version: 1.0
From: "American Express" <[email protected]>
Date: Thu, 17 Nov 2016 09:35:53 -0500
To: [email protected]
Subject: Please activate your Personal Security Key
Content-Type: multipart/alternative;
Message-ID: <[email protected]>

The weird thing is the emails appear blank when opened in Outlook, but using view source I can see the email in its full glory, including the links to click to get to the phishing site. A plain text version is

SafeKey Logo

Please activate your Personal Security Key

American Express SafeKey is an authentication service that provides an additional layer of fraud protection. This service is part of our continuous efforts to increase account security. Beginning April 2016, you may be asked to enter a One-Time Code or other verification information to complete a purchase.

As a Card Member you are enrolled in American Express SafeKey, so you just need to take one additional step to benefit from this security feature. You may update your contact information during the SafeKey create process, through your online account.

To create your American Express SafeKey please click the button bellow

Create SafeKey <http://aexpsafekeys.com>

Note: You will be redirected to a secure encrypted website.

The contained message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.

Thank you,

American Expres

This is a customer service e-mail from American Express. Using the spam/junk mail function may not block servicing messages from being sent to your email account. To learn more about e-mail security or report a suspicious e-mail, please visit us at americanexpress.com/phishing. We kindly ask you not to reply to this e-mail but instead contact us securely via customer service.

Copyright 2016 American Express. All rights reserved.

A screenshot of the html is

Alternative links in emails go to

aexpsafekeys.com was registered yesterday 16 November 2016 and hosted on these IP addresses which look like they belong to a Russian network

Was also registered yesterday by the same Russian name and hosted on same IP addresses also registered yesterday same IP addresses

Following the link to aexpsafekeys.com, you get a typical phishing page like this, where they want all the usual information about you, your family and bank /credit cards etc.