Sendgrid voicemail phish
The message may contain a fake voicemail notification being sent via Sendgrid.
Sublime rule (View on GitHub)
1name: "Sendgrid voicemail phish"
2description: |
3 The message may contain a fake voicemail notification being sent via Sendgrid.
4reference:
5 - "https://krebsonsecurity.com/2020/08/sendgrid-under-siege-from-hacked-accounts/comment-page-1/"
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and headers.return_path.domain.domain == 'sendgrid.net'
11 and (
12 regex.icontains(strings.replace_confusables(subject.subject),
13 'v[o0][il1]cema[il1][li1]',
14 'v[o0][il1]ce message'
15 )
16 or any(ml.nlu_classifier(body.current_thread.text).topics,
17 .name == "Voicemail Call and Missed Call Notifications"
18 and .confidence == "high"
19 )
20 )
21 and any(ml.nlu_classifier(body.current_thread.text).intents,
22 .name not in ("benign")
23 )
24attack_types:
25 - "Credential Phishing"
26tactics_and_techniques:
27 - "Social engineering"
28detection_methods:
29 - "Content analysis"
30 - "Header analysis"
31id: "21cad89c-55e0-5cf1-8677-bf0242633a82"