Brand Impersonation: SendGrid

calendar Apr 15, 2025  ·
Share on: linkedin copy

Detects inbound messages that impersonate SendGrid through display name or domain manipulation, combined with security or authentication-themed content, while failing authentication checks and originating from untrusted sources.

Sublime rule (View on GitHub)

 1name: "Brand Impersonation: SendGrid"
 2description: "Detects inbound messages that impersonate SendGrid through display name or domain manipulation, combined with security or authentication-themed content, while failing authentication checks and originating from untrusted sources."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    // display name contains sendgrid
 9    (
10      strings.ilike(strings.replace_confusables(sender.display_name),
11                    '*sendgrid*'
12      )
13      // levenshtein distance similar to sendgrid
14      or strings.ilevenshtein(strings.replace_confusables(sender.display_name),
15                              'sendgrid'
16      ) <= 1
17      // no display name, local_part contains sendgrid 
18      or (
19        strings.ilike(strings.replace_confusables(sender.email.local_part),
20                      '*sendgrid*'
21        )
22        and sender.display_name is null
23      )
24    )
25  )
26  and (
27    any(beta.ml_topic(body.current_thread.text).topics,
28        .name in (
29          "Security and Authentication",
30          "Secure Message",
31          "Reminders and Notifications"
32        )
33        and .confidence in ("medium", "high")
34    )
35    or any(beta.ml_topic(beta.ocr(beta.message_screenshot()).text).topics,
36           .name in (
37             "Security and Authentication",
38             "Secure Message",
39             "Reminders and Notifications"
40           )
41           and .confidence in ("medium", "high")
42    )
43    or any(ml.nlu_classifier(body.current_thread.text).intents,
44           .name == "cred_theft" and .confidence == "high"
45    )
46    or any(ml.nlu_classifier(beta.ocr(beta.message_screenshot()).text).intents,
47           .name == "cred_theft" and .confidence == "high"
48    )
49  )
50  
51  // and the sender is not in org_domains or from sendgrid domains and passes auth
52  and not (
53    sender.email.domain.root_domain in $org_domains
54    or (
55      sender.email.domain.root_domain in ("sendgrid.com")
56      and headers.auth_summary.dmarc.pass
57    )
58  )
59  // and the sender is not from high trust sender root domains
60  and (
61    (
62      sender.email.domain.root_domain in $high_trust_sender_root_domains
63      and not headers.auth_summary.dmarc.pass
64    )
65    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
66  )
67  and not profile.by_sender().solicited  
68
69attack_types:
70  - "BEC/Fraud"
71  - "Credential Phishing"
72  - "Spam"
73tactics_and_techniques:
74  - "Impersonation: Brand"
75  - "Social engineering"
76detection_methods:
77  - "Content analysis"
78  - "Header analysis"
79  - "Natural Language Understanding"
80  - "Optical Character Recognition"
81  - "Sender analysis"
82id: "d800124f-6aa4-58e1-8fa7-beec4958924f"
to-top