Vendor Compromise: GovDelivery Message With Suspicious Link

calendar Jun 4, 2025  ·
Share on: linkedin copy

Detects messages from GovDelivery that contain links to non-government domains, URL shorteners, newly registered domains, or domains with suspicious redirects. GovDelivery is a digital communications system that lets government agencies send updates via email, text, and social media. We have observed compromised American municipal and county GovDelivery delivering phishing emails.

Sublime rule (View on GitHub)

 1name: "Vendor Compromise: GovDelivery Message With Suspicious Link"
 2description: "Detects messages from GovDelivery that contain links to non-government domains, URL shorteners, newly registered domains, or domains with suspicious redirects. GovDelivery is a digital communications system that lets government agencies send updates via email, text, and social media. We have observed compromised American municipal and county GovDelivery delivering phishing emails."
 3type: "rule"
 4severity: "high"
 5source: |
 6  type.inbound
 7  and (
 8    sender.email.domain.domain == "public.govdelivery.com"
 9    or any(headers.domains, .root_domain == "govdelivery.com")
10  )
11  and (headers.auth_summary.spf.pass or headers.auth_summary.dmarc.pass)
12  and length(body.links) < 10
13  and any(body.links,
14          any(filter(regex.extract(.href_url.path, '/CL0/(?P<url>.*?)/1/'),
15                     strings.parse_url(.named_groups["url"]).domain.root_domain not in (
16                       "google.com",
17                       "govdelivery.com",
18                       "granicus.com",
19                       "legistar1.com" // domain owned by granicus
20                     )
21                     and strings.parse_url(.named_groups["url"]).domain.tld not in (
22                       "gov"
23                     )
24              ),
25              // this is inside the filtered results to avoid flagging this condition on known link domains, as listed above
26              strings.parse_url(.named_groups["url"]).domain.domain in $url_shorteners
27              or strings.parse_url(.named_groups["url"]).domain.root_domain in $url_shorteners
28              or strings.parse_url(.named_groups["url"]).domain.domain in $free_subdomain_hosts
29              or strings.parse_url(.named_groups["url"]).domain.root_domain in $free_subdomain_hosts
30              or network.whois(strings.parse_url(.named_groups["url"]).domain).days_old < 30
31              or any(ml.link_analysis(strings.parse_url(.named_groups["url"])).redirect_history,
32                     network.whois(.domain).days_old < 30
33                     or strings.icontains(.domain.domain, "ipfs")
34                     or regex.icontains(.query_params, '[\.-/]ipfs[\.-/]')
35              )
36              // page redirects to common website, observed when evasion happens
37              or (
38                length(ml.link_analysis(strings.parse_url(.named_groups["url"])).redirect_history
39                ) > 1
40                and ml.link_analysis(strings.parse_url(.named_groups["url"])).effective_url.domain.root_domain in $tranco_10k
41              )
42          )
43  )  
44attack_types:
45  - "Credential Phishing"
46  - "Malware/Ransomware"
47tactics_and_techniques:
48  - "Free subdomain host"
49  - "IPFS"
50  - "Social engineering"
51  - "Evasion"
52  - "Impersonation: Brand"
53detection_methods:
54  - "Natural Language Understanding"
55  - "URL analysis"
56  - "Whois"
57id: "0d2d5172-de93-5452-872e-68db64b089ce"
to-top