Sendgrid voicemail phish

The message may contain a fake voicemail notification being sent via Sendgrid.

Sublime rule (View on GitHub)

 1name: "Sendgrid voicemail phish"
 2description: |
 3    The message may contain a fake voicemail notification being sent via Sendgrid.
 4reference:
 5  - "https://krebsonsecurity.com/2020/08/sendgrid-under-siege-from-hacked-accounts/comment-page-1/"
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and headers.return_path.domain.domain == 'sendgrid.net'
11  and (
12    regex.icontains(strings.replace_confusables(subject.subject),
13                    'v[o0][il1]cema[il1][li1]',
14                    'v[o0][il1]ce message'
15    )
16    or any(ml.nlu_classifier(body.current_thread.text).topics,
17           .name == "Voicemail Call and Missed Call Notifications"
18           and .confidence == "high"
19    )
20  )
21  and any(ml.nlu_classifier(body.current_thread.text).intents,
22          .name not in ("benign")
23  )  
24attack_types:
25  - "Credential Phishing"
26tactics_and_techniques:
27  - "Social engineering"
28detection_methods:
29  - "Content analysis"
30  - "Header analysis"
31id: "21cad89c-55e0-5cf1-8677-bf0242633a82"
to-top