Brand impersonation: SendGrid

calendar Nov 17, 2025  ·
Share on: linkedin copy

Detects inbound messages that impersonate Twilio/SendGrid through display name or domain manipulation, combined with security or authentication-themed content, while failing authentication checks and originating from untrusted sources.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: SendGrid"
  2description: "Detects inbound messages that impersonate Twilio/SendGrid through display name or domain manipulation, combined with security or authentication-themed content, while failing authentication checks and originating from untrusted sources."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and (
  8    (
  9      // SendGrid impersonation patterns
 10      strings.ilike(strings.replace_confusables(sender.display_name),
 11                    '*sendgrid*'
 12      )
 13      or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
 14                              'sendgrid'
 15      ) <= 1
 16      or (
 17        strings.ilike(strings.replace_confusables(sender.email.local_part),
 18                      '*sendgrid*'
 19        )
 20        and (
 21          sender.display_name is null
 22          or strings.ilike(strings.replace_confusables(subject.subject),
 23                           '*sendgrid*'
 24          )
 25        )
 26      )
 27      or any(ml.logo_detect(file.message_screenshot()).brands,
 28             .name == "SendGrid" and .confidence == "high"
 29      )
 30    )
 31    or (
 32      // Twilio impersonation patterns
 33      strings.ilike(strings.replace_confusables(sender.display_name), '*twilio*')
 34      or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
 35                              'twilio'
 36      ) <= 1
 37      or (
 38        strings.ilike(strings.replace_confusables(sender.email.local_part),
 39                      '*twilio*'
 40        )
 41        and (
 42          sender.display_name is null
 43          or strings.ilike(strings.replace_confusables(subject.subject),
 44                           '*twilio*'
 45          )
 46        )
 47      )
 48    )
 49    // SendGrid content from non-SendGrid marketing platforms
 50    or (
 51      sender.email.domain.root_domain in (
 52        "selfcast.com",
 53        "mailchimp.com",
 54        "constantcontact.com",
 55        "hubspot.com",
 56        "klaviyo.com",
 57        "mailgun.com"
 58      )
 59      and (
 60        (
 61          (
 62            strings.icontains(body.current_thread.text, "sendgrid")
 63            or strings.icontains(subject.subject, "sendgrid")
 64          )
 65          and 3 of (
 66            strings.icontains(body.current_thread.text, "webhook"),
 67            strings.icontains(body.current_thread.text, "endpoint"),
 68            strings.icontains(body.current_thread.text, "api"),
 69            strings.icontains(body.current_thread.text, "delivery"),
 70            strings.icontains(body.current_thread.text, "event notification")
 71          )
 72        )
 73        and (
 74          // Look for SendGrid-related content with non-SendGrid tracking links
 75          any(body.links,
 76              strings.icontains(.href_url.url, "selfcast.com")
 77              or (
 78                .display_url.url is not null
 79                and strings.icontains(.display_url.url, "sendgrid.com")
 80              )
 81          )
 82        )
 83      )
 84    )
 85  )
 86  and (
 87    // Content analysis using ML/NLU
 88    any(ml.nlu_classifier(body.current_thread.text).topics,
 89        .name in (
 90          "Security and Authentication",
 91          "Secure Message",
 92          "Reminders and Notifications",
 93          "Software and App Updates",
 94          "Customer Service and Support"
 95        )
 96        and .confidence in ("medium", "high")
 97    )
 98    or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
 99           .name in (
100             "Security and Authentication",
101             "Secure Message",
102             "Reminders and Notifications",
103             "Software and App Updates",
104             "Customer Service and Support"
105           )
106           and .confidence in ("medium", "high")
107    )
108    or any(ml.nlu_classifier(body.current_thread.text).intents,
109           .name == "cred_theft" and .confidence == "high"
110    )
111    or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
112           .name == "cred_theft" and .confidence == "high"
113    )
114  )
115  
116  // and the sender is not in org_domains or from sendgrid domains and passes auth
117  and not (
118    sender.email.domain.valid
119    and (
120      sender.email.domain.root_domain in $org_domains
121      or (
122        sender.email.domain.root_domain in (
123          "sendgrid.com",
124          "sendgrid.net",
125          "twilio.com",
126          "swoogo.com", // events planning software used by Twillio
127          "sendsafely.com" // secure delivery used by Twillio
128        )
129      )
130    )
131    and headers.auth_summary.dmarc.pass
132  )
133  // Exclude high trust domains with valid auth and solicited senders
134  and (
135    (
136      sender.email.domain.root_domain in $high_trust_sender_root_domains
137      and not headers.auth_summary.dmarc.pass
138    )
139    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
140  )
141  and not profile.by_sender().solicited  
142
143attack_types:
144  - "BEC/Fraud"
145  - "Credential Phishing"
146  - "Spam"
147tactics_and_techniques:
148  - "Impersonation: Brand"
149  - "Social engineering"
150detection_methods:
151  - "Content analysis"
152  - "Header analysis"
153  - "Natural Language Understanding"
154  - "Optical Character Recognition"
155  - "Sender analysis"
156id: "d800124f-6aa4-58e1-8fa7-beec4958924f"
to-top