Brand impersonation: SendGrid
Detects inbound messages that impersonate Twilio/SendGrid through display name or domain manipulation, combined with security or authentication-themed content, while failing authentication checks and originating from untrusted sources.
Sublime rule (View on GitHub)
1name: "Brand impersonation: SendGrid"
2description: "Detects inbound messages that impersonate Twilio/SendGrid through display name or domain manipulation, combined with security or authentication-themed content, while failing authentication checks and originating from untrusted sources."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 (
9 // SendGrid impersonation patterns
10 strings.ilike(strings.replace_confusables(sender.display_name),
11 '*sendgrid*'
12 )
13 or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
14 'sendgrid'
15 ) <= 1
16 or (
17 strings.ilike(strings.replace_confusables(sender.email.local_part),
18 '*sendgrid*'
19 )
20 and (
21 sender.display_name is null
22 or strings.ilike(strings.replace_confusables(subject.base),
23 '*sendgrid*'
24 )
25 )
26 )
27 or any(ml.logo_detect(file.message_screenshot()).brands,
28 .name == "SendGrid" and .confidence == "high"
29 )
30 )
31 or (
32 // Twilio impersonation patterns
33 strings.ilike(strings.replace_confusables(sender.display_name), '*twilio*')
34 or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
35 'twilio'
36 ) <= 1
37 or (
38 strings.ilike(strings.replace_confusables(sender.email.local_part),
39 '*twilio*'
40 )
41 and (
42 sender.display_name is null
43 or strings.ilike(strings.replace_confusables(subject.base), '*twilio*')
44 )
45 )
46 )
47 or strings.icontains(body.current_thread.text, "the sendgrid team")
48 or 2 of (
49 regex.icontains(body.current_thread.text, '(?:Twilio|SendGrid)'),
50 strings.icontains(body.current_thread.text, '1801 California St'),
51 strings.icontains(body.current_thread.text, 'Denver, CO 80202')
52 )
53 // SendGrid content from non-SendGrid marketing platforms
54 or (
55 sender.email.domain.root_domain in (
56 "selfcast.com",
57 "mailchimp.com",
58 "constantcontact.com",
59 "hubspot.com",
60 "klaviyo.com",
61 "mailgun.com"
62 )
63 and (
64 (
65 (
66 strings.icontains(body.current_thread.text, "sendgrid")
67 or strings.icontains(subject.base, "sendgrid")
68 )
69 and 3 of (
70 strings.icontains(body.current_thread.text, "webhook"),
71 strings.icontains(body.current_thread.text, "endpoint"),
72 strings.icontains(body.current_thread.text, "api"),
73 strings.icontains(body.current_thread.text, "delivery"),
74 strings.icontains(body.current_thread.text, "event notification")
75 )
76 )
77 and (
78 // Look for SendGrid-related content with non-SendGrid tracking links
79 any(body.links,
80 strings.icontains(.href_url.url, "selfcast.com")
81 or (
82 .display_url.url is not null
83 and strings.icontains(.display_url.url, "sendgrid.com")
84 )
85 )
86 )
87 )
88 )
89 )
90 and (
91 // Content analysis using ML/NLU
92 any(ml.nlu_classifier(body.current_thread.text).topics,
93 .name in (
94 "Security and Authentication",
95 "Secure Message",
96 "Reminders and Notifications",
97 "Software and App Updates",
98 "Customer Service and Support"
99 )
100 and .confidence in ("medium", "high")
101 )
102 or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
103 .name in (
104 "Security and Authentication",
105 "Secure Message",
106 "Reminders and Notifications",
107 "Software and App Updates",
108 "Customer Service and Support"
109 )
110 and .confidence in ("medium", "high")
111 )
112 or any(ml.nlu_classifier(body.current_thread.text).intents,
113 .name == "cred_theft" and .confidence == "high"
114 )
115 or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
116 .name == "cred_theft" and .confidence == "high"
117 )
118
119 // any capacity or limits mentioned
120 or any([subject.base, body.current_thread.text],
121 (strings.icontains(., "capacity") or strings.icontains(., "limit"))
122 and regex.icontains(., '\breach(?:\b|ed)')
123 )
124 )
125
126 // and the sender is not in org_domains or from sendgrid domains and passes auth
127 and not (
128 sender.email.domain.valid
129 and (
130 sender.email.domain.root_domain in $org_domains
131 or (
132 sender.email.domain.root_domain in (
133 "sendgrid.com",
134 "sendgrid.net",
135 "twilio.com",
136 "swoogo.com", // events planning software used by Twillio
137 "sendsafely.com", // secure delivery used by Twillio
138 "evolve.com", // same address as Twillio
139 "sendgridsolutions.com"
140 )
141 )
142 )
143 and headers.auth_summary.dmarc.pass
144 )
145 // Exclude high trust domains with valid auth and solicited senders
146 and (
147 (
148 sender.email.domain.root_domain in $high_trust_sender_root_domains
149 and not headers.auth_summary.dmarc.pass
150 )
151 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
152 )
153 and not profile.by_sender().solicited
154attack_types:
155 - "BEC/Fraud"
156 - "Credential Phishing"
157 - "Spam"
158tactics_and_techniques:
159 - "Impersonation: Brand"
160 - "Social engineering"
161detection_methods:
162 - "Content analysis"
163 - "Header analysis"
164 - "Natural Language Understanding"
165 - "Optical Character Recognition"
166 - "Sender analysis"
167id: "d800124f-6aa4-58e1-8fa7-beec4958924f"