Brand impersonation: Mailgun

calendar Aug 5, 2025  ·
Share on: linkedin copy

Impersonation of the Mailgun Email delivery platform.

Sublime rule (View on GitHub)

 1name: "Brand impersonation: Mailgun"
 2description: "Impersonation of the Mailgun Email delivery platform."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and (
 8    any([
 9          sender.display_name,
10          sender.email.domain.domain,
11          sender.email.local_part,
12          subject.subject
13        ],
14        regex.icontains(strings.replace_confusables(.), "ma[il][il]gun")
15    )
16    or regex.icontains(body.html.raw, 
17      '<title>.*mailgun.*</title>', 'alt\s*=\s*"\s*Mailgun\s*Logo\s*"'
18    )
19    or regex.icontains(body.current_thread.text,
20                       '[©®]\s*(20\d\d\s*)?Mailgun',
21                       'mailgun\s*[©®]'
22    )
23    or any(ml.logo_detect(beta.message_screenshot()).brands,
24           .name == "Mailgun" and .confidence in ("medium", "high")
25    )
26  )
27  and not (
28    // sent from mailgun actual
29    (
30      sender.email.domain.root_domain in (
31        'mailgun.com',
32        'mailgun.net', // official mailgun domains
33        'sinch.com', // parent company of Mailgun
34        'mailgunwarmup.com', // an unrelated b2b firm
35        'emailonacid.com', // another sinch email product 
36        'elior-na.com', // a domain with a simliar logo that catches on logo_detect
37        'brembo.com' // a domain with a simliar logo that catches on logo_detect
38      )
39      and headers.auth_summary.dmarc.pass
40    )
41    // and not where the recipient include the domain with a simliar logo
42    // and where that recipient shows up in a previous thread
43    or (
44      any(recipients.to, .email.domain.root_domain in ("elior-na.com", "brembo.com"))
45      and any(filter(recipients.to, .email.domain.root_domain in ("elior-na.com", "brembo.com")),
46              (
47                  strings.icontains(body.html.display_text, strings.concat("From: ", .email.email))
48                  or strings.icontains(body.html.display_text, strings.concat("From: ", .display_name))
49              )
50      )
51    )
52    or 
53    // some domains have "mailgun" as a subdomain and are sent via mailgun
54    // these are unlikely to be impersonations
55    (
56      (
57        strings.icontains(sender.email.domain.domain, "mailgun")
58        or strings.icontains(sender.email.local_part, "mailgun")
59      )
60      and (
61        // if mailgun action was in the header.hops very likely not impersonation
62        any(headers.domains, .root_domain in ('mailgun.com', 'mailgun.net'))
63        // but if not and there are 4 or more X-Mailgun headers, likely not impersonation
64        or sum(map(filter(headers.hops, .index < 2),
65                   length(filter(.fields,
66                                 strings.starts_with(.name, "X-Mailgun-")
67                          )
68                   )
69               )
70        ) >= 3
71      )
72    )
73  )
74  // negate highly trusted sender domains unless they fail DMARC authentication
75  and (
76    (
77      sender.email.domain.root_domain in $high_trust_sender_root_domains
78      and not headers.auth_summary.dmarc.pass
79    )
80    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
81  )  
82attack_types:
83  - "Credential Phishing"
84  - "BEC/Fraud"
85tactics_and_techniques:
86  - "Impersonation: Brand"
87detection_methods:
88  - "Sender analysis"
89id: "59cc84e6-e16c-58e7-94ad-78dad315e5ab"
to-top