Brand impersonation: SendGrid

Detects inbound messages that impersonate Twilio/SendGrid through display name or domain manipulation, combined with security or authentication-themed content, while failing authentication checks and originating from untrusted sources.

Sublime rule (View on GitHub)

  1name: "Brand impersonation: SendGrid"
  2description: "Detects inbound messages that impersonate Twilio/SendGrid through display name or domain manipulation, combined with security or authentication-themed content, while failing authentication checks and originating from untrusted sources."
  3type: "rule"
  4severity: "medium"
  5source: |
  6  type.inbound
  7  and (
  8    (
  9      // SendGrid impersonation patterns
 10      strings.ilike(strings.replace_confusables(sender.display_name),
 11                    '*sendgrid*'
 12      )
 13      or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
 14                              'sendgrid'
 15      ) <= 1
 16      or (
 17        strings.ilike(strings.replace_confusables(sender.email.local_part),
 18                      '*sendgrid*'
 19        )
 20        and (
 21          sender.display_name is null
 22          or strings.ilike(strings.replace_confusables(subject.subject),
 23                           '*sendgrid*'
 24          )
 25        )
 26      )
 27      or any(ml.logo_detect(file.message_screenshot()).brands,
 28             .name == "SendGrid" and .confidence == "high"
 29      )
 30    )
 31    or (
 32      // Twilio impersonation patterns
 33      strings.ilike(strings.replace_confusables(sender.display_name), '*twilio*')
 34      or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
 35                              'twilio'
 36      ) <= 1
 37      or (
 38        strings.ilike(strings.replace_confusables(sender.email.local_part),
 39                      '*twilio*'
 40        )
 41        and (
 42          sender.display_name is null
 43          or strings.ilike(strings.replace_confusables(subject.subject),
 44                           '*twilio*'
 45          )
 46        )
 47      )
 48    )
 49  )
 50  and (
 51    // Content analysis using ML/NLU
 52    any(ml.nlu_classifier(body.current_thread.text).topics,
 53        .name in (
 54          "Security and Authentication",
 55          "Secure Message",
 56          "Reminders and Notifications",
 57          "Software and App Updates"
 58        )
 59        and .confidence in ("medium", "high")
 60    )
 61    or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
 62           .name in (
 63             "Security and Authentication",
 64             "Secure Message",
 65             "Reminders and Notifications",
 66             "Software and App Updates"
 67           )
 68           and .confidence in ("medium", "high")
 69    )
 70    or any(ml.nlu_classifier(body.current_thread.text).intents,
 71           .name == "cred_theft" and .confidence == "high"
 72    )
 73    or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
 74           .name == "cred_theft" and .confidence == "high"
 75    )
 76  )
 77  
 78  // and the sender is not in org_domains or from sendgrid domains and passes auth
 79  and not (
 80    (
 81      sender.email.domain.root_domain in $org_domains
 82      or (
 83        sender.email.domain.root_domain in (
 84          "sendgrid.com",
 85          "sendgrid.net",
 86          "twilio.com",
 87          "swoogo.com", // events planning software used by Twillio
 88          "sendsafely.com" // secure delivery used by Twillio
 89        )
 90      )
 91    )
 92    and headers.auth_summary.dmarc.pass
 93  )
 94  // Exclude high trust domains with valid auth and solicited senders
 95  and (
 96    (
 97      sender.email.domain.root_domain in $high_trust_sender_root_domains
 98      and not headers.auth_summary.dmarc.pass
 99    )
100    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
101  )
102  and not profile.by_sender().solicited  
103
104attack_types:
105  - "BEC/Fraud"
106  - "Credential Phishing"
107  - "Spam"
108tactics_and_techniques:
109  - "Impersonation: Brand"
110  - "Social engineering"
111detection_methods:
112  - "Content analysis"
113  - "Header analysis"
114  - "Natural Language Understanding"
115  - "Optical Character Recognition"
116  - "Sender analysis"
117id: "d800124f-6aa4-58e1-8fa7-beec4958924f"
to-top