Brand impersonation: Mailgun

calendar Jan 12, 2026  ·
Share on: linkedin copy

Impersonation of the Mailgun Email delivery platform.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Mailgun"
 2description: "Impersonation of the Mailgun Email delivery platform."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    any([
 9          sender.display_name,
10          sender.email.domain.domain,
11          sender.email.local_part,
12          subject.subject
13        ],
14        regex.icontains(strings.replace_confusables(.), "ma[il][il]gun")
15    )
16    or regex.icontains(body.html.raw,
17                       '<title>.*mailgun.*</title>',
18                       'alt\s*=\s*"\s*Mailgun\s*Logo\s*"'
19    )
20    or regex.icontains(body.current_thread.text,
21                       '[©®]\s*(20\d\d\s*)?Mailgun',
22                       'mailgun\s*[©®]'
23    )
24    or any(ml.logo_detect(file.message_screenshot()).brands,
25           .name == "Mailgun" and .confidence in ("medium", "high")
26    )
27  )
28  and not (
29    // sent from mailgun actual
30    (
31      sender.email.domain.root_domain in (
32        'mailgun.com',
33        'mailgun.net', // official mailgun domains
34        'sinch.com', // parent company of Mailgun
35        'mailgunwarmup.com', // an unrelated b2b firm
36        'emailonacid.com', // another sinch email product 
37        'elior-na.com', // a domain with a simliar logo that catches on logo_detect
38        'brembo.com' // a domain with a simliar logo that catches on logo_detect
39      )
40      and headers.auth_summary.dmarc.pass
41    )
42    // and not where the recipient include the domain with a simliar logo
43    // and where that recipient shows up in a previous thread
44    or (
45      any(recipients.to,
46          .email.domain.root_domain in ("elior-na.com", "brembo.com")
47      )
48      and any(filter(recipients.to,
49                     .email.domain.root_domain in ("elior-na.com", "brembo.com")
50              ),
51              (
52                strings.icontains(body.html.display_text,
53                                  strings.concat("From: ", .email.email)
54                )
55                or strings.icontains(body.html.display_text,
56                                     strings.concat("From: ", .display_name)
57                )
58              )
59      )
60    )
61    or 
62    // some domains have "mailgun" as a subdomain and are sent via mailgun
63    // these are unlikely to be impersonations
64    (
65      (
66        strings.icontains(sender.email.domain.domain, "mailgun")
67        or strings.icontains(sender.email.local_part, "mailgun")
68      )
69      and (
70        // if mailgun action was in the header.hops very likely not impersonation
71        any(headers.domains, .root_domain in ('mailgun.com', 'mailgun.net'))
72        // but if not and there are 4 or more X-Mailgun headers, likely not impersonation
73        or sum(map(filter(headers.hops, .index < 2),
74                   length(filter(.fields,
75                                 strings.starts_with(.name, "X-Mailgun-")
76                          )
77                   )
78               )
79        ) >= 3
80      )
81    )
82  )
83  // negate highly trusted sender domains unless they fail DMARC authentication
84  and (
85    (
86      sender.email.domain.root_domain in $high_trust_sender_root_domains
87      and not headers.auth_summary.dmarc.pass
88    )
89    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
90  )  
91attack_types:
92  - "Credential Phishing"
93  - "BEC/Fraud"
94tactics_and_techniques:
95  - "Impersonation: Brand"
96detection_methods:
97  - "Sender analysis"
98id: "59cc84e6-e16c-58e7-94ad-78dad315e5ab"
to-top