Sendgrid voicemail phish

calendar Oct 17, 2023  ยท
Share on: linkedin copy

The message may contain a fake voicemail notification being sent via Sendgrid.

Sublime rule (View on GitHub)

 1name: "Sendgrid voicemail phish"
 2description: |
 3    The message may contain a fake voicemail notification being sent via Sendgrid.
 4reference:
 5  - "https://krebsonsecurity.com/2020/08/sendgrid-under-siege-from-hacked-accounts/comment-page-1/"
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and headers.return_path.domain.domain == 'sendgrid.net'
11  and strings.ilike(subject.subject, '*voicemail*', '*voice message*')
12  and any(ml.nlu_classifier(body.current_thread.text).intents, .name not in ("benign", "unknown"))  
13attack_types:
14  - "Credential Phishing"
15tactics_and_techniques:
16  - "Social engineering"
17detection_methods:
18  - "Content analysis"
19  - "Header analysis"
20id: "21cad89c-55e0-5cf1-8677-bf0242633a82"
to-top