Brand impersonation: SendGrid

Detects inbound messages that impersonate SendGrid through display name or domain manipulation, combined with security or authentication-themed content, while failing authentication checks and originating from untrusted sources.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: SendGrid"
 2description: "Detects inbound messages that impersonate SendGrid through display name or domain manipulation, combined with security or authentication-themed content, while failing authentication checks and originating from untrusted sources."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    // display name contains sendgrid
 9    (
10      strings.ilike(strings.replace_confusables(sender.display_name),
11                    '*sendgrid*'
12      )
13      // levenshtein distance similar to sendgrid
14      or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
15                              'sendgrid'
16      ) <= 1
17      // no display name, local_part contains sendgrid 
18      or (
19        strings.ilike(strings.replace_confusables(sender.email.local_part),
20                      '*sendgrid*'
21        )
22        and (
23          sender.display_name is null
24          or strings.ilike(strings.replace_confusables(subject.subject),
25                           '*sendgrid*'
26          )
27        )
28      )
29    )
30    or any(ml.logo_detect(beta.message_screenshot()).brands,
31         .name == "SendGrid" and .confidence == "high"
32    )
33  )
34  and (
35    any(beta.ml_topic(body.current_thread.text).topics,
36        .name in (
37          "Security and Authentication",
38          "Secure Message",
39          "Reminders and Notifications",
40          "Software and App Updates"
41        )
42        and .confidence in ("medium", "high")
43    )
44    or any(beta.ml_topic(beta.ocr(beta.message_screenshot()).text).topics,
45           .name in (
46             "Security and Authentication",
47             "Secure Message",
48             "Reminders and Notifications",
49             "Software and App Updates"
50           )
51           and .confidence in ("medium", "high")
52    )
53    or any(ml.nlu_classifier(body.current_thread.text).intents,
54           .name == "cred_theft" and .confidence == "high"
55    )
56    or any(ml.nlu_classifier(beta.ocr(beta.message_screenshot()).text).intents,
57           .name == "cred_theft" and .confidence == "high"
58    )
59  )
60  
61  // and the sender is not in org_domains or from sendgrid domains and passes auth
62  and not (
63    sender.email.domain.root_domain in $org_domains
64    or (
65      sender.email.domain.root_domain in ("sendgrid.com", "sendgrid.net")
66      and headers.auth_summary.dmarc.pass
67    )
68  )
69  // and the sender is not from high trust sender root domains
70  and (
71    (
72      sender.email.domain.root_domain in $high_trust_sender_root_domains
73      and not headers.auth_summary.dmarc.pass
74    )
75    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
76  )
77  and not profile.by_sender().solicited  
78
79attack_types:
80  - "BEC/Fraud"
81  - "Credential Phishing"
82  - "Spam"
83tactics_and_techniques:
84  - "Impersonation: Brand"
85  - "Social engineering"
86detection_methods:
87  - "Content analysis"
88  - "Header analysis"
89  - "Natural Language Understanding"
90  - "Optical Character Recognition"
91  - "Sender analysis"
92id: "d800124f-6aa4-58e1-8fa7-beec4958924f"
to-top