Brand impersonation: SendGrid
Detects inbound messages that impersonate Twilio/SendGrid through display name or domain manipulation, combined with security or authentication-themed content, while failing authentication checks and originating from untrusted sources.
Sublime rule (View on GitHub)
1name: "Brand impersonation: SendGrid"
2description: "Detects inbound messages that impersonate Twilio/SendGrid through display name or domain manipulation, combined with security or authentication-themed content, while failing authentication checks and originating from untrusted sources."
3type: "rule"
4severity: "medium"
5source: |
6 type.inbound
7 and (
8 (
9 // SendGrid impersonation patterns
10 strings.ilike(strings.replace_confusables(sender.display_name),
11 '*sendgrid*'
12 )
13 or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
14 'sendgrid'
15 ) <= 1
16 or (
17 strings.ilike(strings.replace_confusables(sender.email.local_part),
18 '*sendgrid*'
19 )
20 and (
21 sender.display_name is null
22 or strings.ilike(strings.replace_confusables(subject.subject),
23 '*sendgrid*'
24 )
25 )
26 )
27 or any(ml.logo_detect(file.message_screenshot()).brands,
28 .name == "SendGrid" and .confidence == "high"
29 )
30 )
31 or (
32 // Twilio impersonation patterns
33 strings.ilike(strings.replace_confusables(sender.display_name), '*twilio*')
34 or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
35 'twilio'
36 ) <= 1
37 or (
38 strings.ilike(strings.replace_confusables(sender.email.local_part),
39 '*twilio*'
40 )
41 and (
42 sender.display_name is null
43 or strings.ilike(strings.replace_confusables(subject.subject),
44 '*twilio*'
45 )
46 )
47 )
48 )
49 )
50 and (
51 // Content analysis using ML/NLU
52 any(ml.nlu_classifier(body.current_thread.text).topics,
53 .name in (
54 "Security and Authentication",
55 "Secure Message",
56 "Reminders and Notifications",
57 "Software and App Updates"
58 )
59 and .confidence in ("medium", "high")
60 )
61 or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).topics,
62 .name in (
63 "Security and Authentication",
64 "Secure Message",
65 "Reminders and Notifications",
66 "Software and App Updates"
67 )
68 and .confidence in ("medium", "high")
69 )
70 or any(ml.nlu_classifier(body.current_thread.text).intents,
71 .name == "cred_theft" and .confidence == "high"
72 )
73 or any(ml.nlu_classifier(beta.ocr(file.message_screenshot()).text).intents,
74 .name == "cred_theft" and .confidence == "high"
75 )
76 )
77
78 // and the sender is not in org_domains or from sendgrid domains and passes auth
79 and not (
80 (
81 sender.email.domain.root_domain in $org_domains
82 or (
83 sender.email.domain.root_domain in (
84 "sendgrid.com",
85 "sendgrid.net",
86 "twilio.com",
87 "swoogo.com", // events planning software used by Twillio
88 "sendsafely.com" // secure delivery used by Twillio
89 )
90 )
91 )
92 and headers.auth_summary.dmarc.pass
93 )
94 // Exclude high trust domains with valid auth and solicited senders
95 and (
96 (
97 sender.email.domain.root_domain in $high_trust_sender_root_domains
98 and not headers.auth_summary.dmarc.pass
99 )
100 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
101 )
102 and not profile.by_sender().solicited
103
104attack_types:
105 - "BEC/Fraud"
106 - "Credential Phishing"
107 - "Spam"
108tactics_and_techniques:
109 - "Impersonation: Brand"
110 - "Social engineering"
111detection_methods:
112 - "Content analysis"
113 - "Header analysis"
114 - "Natural Language Understanding"
115 - "Optical Character Recognition"
116 - "Sender analysis"
117id: "d800124f-6aa4-58e1-8fa7-beec4958924f"