Brand impersonation: SendGrid
Detects inbound messages that impersonate SendGrid through display name or domain manipulation, combined with security or authentication-themed content, while failing authentication checks and originating from untrusted sources.
Sublime rule (View on GitHub)
1name: "Brand impersonation: SendGrid"
2description: "Detects inbound messages that impersonate SendGrid through display name or domain manipulation, combined with security or authentication-themed content, while failing authentication checks and originating from untrusted sources."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 // display name contains sendgrid
9 (
10 strings.ilike(strings.replace_confusables(sender.display_name),
11 '*sendgrid*'
12 )
13 // levenshtein distance similar to sendgrid
14 or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
15 'sendgrid'
16 ) <= 1
17 // no display name, local_part contains sendgrid
18 or (
19 strings.ilike(strings.replace_confusables(sender.email.local_part),
20 '*sendgrid*'
21 )
22 and (
23 sender.display_name is null
24 or strings.ilike(strings.replace_confusables(subject.subject),
25 '*sendgrid*'
26 )
27 )
28 )
29 )
30 or any(ml.logo_detect(beta.message_screenshot()).brands,
31 .name == "SendGrid" and .confidence == "high"
32 )
33 )
34 and (
35 any(beta.ml_topic(body.current_thread.text).topics,
36 .name in (
37 "Security and Authentication",
38 "Secure Message",
39 "Reminders and Notifications",
40 "Software and App Updates"
41 )
42 and .confidence in ("medium", "high")
43 )
44 or any(beta.ml_topic(beta.ocr(beta.message_screenshot()).text).topics,
45 .name in (
46 "Security and Authentication",
47 "Secure Message",
48 "Reminders and Notifications",
49 "Software and App Updates"
50 )
51 and .confidence in ("medium", "high")
52 )
53 or any(ml.nlu_classifier(body.current_thread.text).intents,
54 .name == "cred_theft" and .confidence == "high"
55 )
56 or any(ml.nlu_classifier(beta.ocr(beta.message_screenshot()).text).intents,
57 .name == "cred_theft" and .confidence == "high"
58 )
59 )
60
61 // and the sender is not in org_domains or from sendgrid domains and passes auth
62 and not (
63 sender.email.domain.root_domain in $org_domains
64 or (
65 sender.email.domain.root_domain in ("sendgrid.com", "sendgrid.net")
66 and headers.auth_summary.dmarc.pass
67 )
68 )
69 // and the sender is not from high trust sender root domains
70 and (
71 (
72 sender.email.domain.root_domain in $high_trust_sender_root_domains
73 and not headers.auth_summary.dmarc.pass
74 )
75 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
76 )
77 and not profile.by_sender().solicited
78
79attack_types:
80 - "BEC/Fraud"
81 - "Credential Phishing"
82 - "Spam"
83tactics_and_techniques:
84 - "Impersonation: Brand"
85 - "Social engineering"
86detection_methods:
87 - "Content analysis"
88 - "Header analysis"
89 - "Natural Language Understanding"
90 - "Optical Character Recognition"
91 - "Sender analysis"
92id: "d800124f-6aa4-58e1-8fa7-beec4958924f"