Sendgrid voicemail phish
The message may contain a fake voicemail notification being sent via Sendgrid.
Sublime rule (View on GitHub)
1name: "Sendgrid voicemail phish"
2description: |
3 The message may contain a fake voicemail notification being sent via Sendgrid.
4reference:
5 - "https://krebsonsecurity.com/2020/08/sendgrid-under-siege-from-hacked-accounts/comment-page-1/"
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and headers.return_path.domain.domain == 'sendgrid.net'
11 and strings.ilike(subject.subject, '*voicemail*', '*voice message*')
12 and any(ml.nlu_classifier(body.current_thread.text).intents, .name not in ("benign", "unknown"))
13attack_types:
14 - "Credential Phishing"
15tactics_and_techniques:
16 - "Social engineering"
17detection_methods:
18 - "Content analysis"
19 - "Header analysis"
20id: "21cad89c-55e0-5cf1-8677-bf0242633a82"